Policy guidance Policy guidance

The set of General Information Security Policies contains detail on the security controls and policy statements to which the University aspires. Within each policy, there is additional guidance on how that policy should be implemented. Listed below are keys points to be drawn from this set of policies.

Information risk management

 
  • Information security is more than an IT issue. It is a strategic risk management issue
  • Identify key information assets and apply an appropriate level of protection to them. For instance, backup data to ensure its availability
  • Actively consider risks associated with the security of the information that you manage or handle
  • Be proactive in managing information security. It is not enough just to respond to incidents
  • Security controls and information security policies should be commensurate with the level of risk that can be tolerated. This means we need to decide our appetite for risk
  • Changes in technology such as cloud computing or mobile devices can shift the balance of risk. New technologies should be subject to an information security risk assessment before introduction
 

Incident management

 
  • There must be established and tested plans and processes to restore service and information assets after failure or loss
  • Plans should be in place to manage the impact of and recovery from an information security incident
 

Advice and guidance

 
  • Users should be informed of acceptable and secure use of University systems
  • Users should have training on information security, and regularly made aware of risks
  • New users should be briefed on information security as part of their induction
  • Threats are not only technical, but can also involve social engineering – e.g. tricking a user to click on a malicious link, or pretending to be someone else to reset their password
  • All users should respond to and act on notices from Information Services on perceived security threats
 

Managing user privileges

 
  • Accounts should be issued and deleted according to set and agreed processes
  • Users should have user account privileges according to their role
  • Minimise the number of user accounts with elevated privileges, as these pose a higher risk
 

Secure configuration

 
  • All systems including personally-owned systems should be kept up to date with the latest security patches and protected against malware
  • Maintain hardware and software inventories of University assets to inform the need for updates
 

Monitoring

 
  • Centrally managed systems should be monitored continuously for unusual activity
  • Security controls should be regularly reviewed and tested to ensure they are being followed and are effective. Non-compliance may be down to a lack of training or point to a need for policy revision
  • Users should be aware that their activity may be monitored, especially those handling sensitive information
 

Network security

 
  • The University data network should be protected against external and internal attack
  • Security should be regularly tested by undertaking penetration tests simulating the behaviour of a malicious attack and to discover vulnerabilities
 

Mobile devices

 
  • Information stored on a mobile device (e.g. mobile phone, laptop, USB stick, CD) is particularly at risk of loss or theft
  • Mobile devices should be used securely and configured to prevent unauthorised access
  • Take special care with handling the security of information when in transit (e.g. attached to an email, stored on a mobile device, shared via a collaboration tool)
 

Further information

http://www.bis.gov.uk/policies/business-sectors/cyber-security/downloads