1 Introduction

The continued confidentiality, 信息系统的完整性和可用性是排行十佳平台运作的基础. 未能确保信息系统的安全将危及大学履行其提供世界一流研究和教学的使命的能力,并通过随之而来的财务或声誉损失的风险产生更大的长期影响.

本电子信息系统安全政策为大学所有成员提供了保护其信息系统所需的指导原则和责任. Other supporting University policies, 程序和准则将更详细地说明具体主题领域.

The Digital, Data & 技术组将领导大学承诺成功实施信息安全管理,但这只有在大学社区的所有成员都意识到的情况下才有可能, and carry, out their own personal responsibilities.

1.1 Purpose of Policy

The intention of this policy is to:

  • 确保大学管理的信息系统受到保护,免受安全威胁,并减轻无法直接应对的风险
  • 确保大学的所有成员都了解并能够遵守相关的英国和欧盟法律
  • 确保所有用户都意识到并理解他们在保护所访问数据的机密性和完整性方面的个人责任
  • 确保所有用户都了解并能够遵守本政策和其他支持政策
  • 维护大学的声誉和业务,确保大学有能力履行其法律义务,并保护大学免受因滥用资讯科技设施而造成的责任或损害
  • Ensure timely review of policy and procedure in response to feedback, legislation and other factors so as to improve ongoing security.

1.2 Scope

本信息系统安全政策适用于排行十佳平台的所有成员, all third parties who interact with University information, and all of the systems used to store or process it.

2 Policy

2.1 Awareness and communication

所有授权用户在开立帐户时,会被告知有关政策及辅助政策及指引. Updates to guidance will be publicised through the DD&T website and highlighted at major points of interaction with DD&T systems as appropriate for the change.

2.2 Definitions

大学数据包括由大学拥有或授权的所有数据元素,或由大学代表第三方处理的任何信息.

大学信息系统——包括但不限于所有的信息系统, held, 在大学网络上使用或呈现的信息,以及任何使用这些信息的人.

数据管理员-排行十佳平台与研究项目相关的最资深研究员是该项目的数据管理员,最终负责研究数据管理.

Data Custodian - Data Custodians are responsible for the safe custody, transport, storage of the data and implementation of business rules. Examples are systems administrators and developers within DD&T.

2.3 Information Security Principles

以下原则为大学信息和信息系统的保安和管理提供了一个框架.

  1. 信息分类应根据信息分类框架和任何其他立法进行, 可能增加信息和安全需求敏感性的法规或合同要求.
  2. 数据管理员负责确保其数据是保密的,并与数据保管人合作,按照其分类级别处理信息,并制定适当的程序和系统来满足这一要求. Where personal data are stored, 必须收集和记录储存和处理的适当同意.
  3. 本政策范围所涵盖的所有个人必须根据其分类级别适当地处理信息.
  4. 信息只应提供给有合法需要的人.
  5. 信息将受到保护,防止未经授权的访问和处理.
  6. Information will be protected against loss and corruption.
  7. 信息将以安全、及时的方式处理,并采取适当的分类措施.
  8. 任何知道违反政策的人都必须及时报告.

2.4. Legal and regulatory obligations

排行十佳平台及其买球网/学生/用户/成员必须遵守所有现行的英国和欧盟立法以及监管和合同要求. 有关法例的摘要载于附录A -资讯系统保安政策相关法例指南.

2.5 Information Classification

以下是资讯保安原则的资讯分类级别摘要. 详细的定义和进一步的指导可以在大学秘书办公室的信息分类框架(ICF)中找到. The ICF includes definitions from the Data Protection Policy.

Category - Highly Restricted

Description

Highly confidential information whose inappropriate disclosure would be likely to cause serious damage or distress to individuals and/or constitute unfair/unlawful processing of “sensitive personal data” under the Data Protection Act; and/or seriously damage the University’s interests and reputation; and/or significantly threaten the security/safety of the University and its staff/students.

Examples

  • Sensitive personal data relating to identifiable living individuals
  • Individual’s bank details
  • Large aggregates (>1000 records) of personal data such as personal contact details
  • 有利于保护个人安全或关键职能和资产安全的非排行十佳平台.g. network passwords and access codes for higher risk areas

Category - Restricted

Description

Confidential information whose inappropriate disclosure would be likely to cause a negative impact on individuals and/or constitute unfair/unlawful processing of “personal data” under the Data Protection Act; and/or damage the University’s commercial interests, and/or have some negative impact on the University’s reputation.

Examples

  • Personal data relating to identifiable living individuals
  • Student assessment marks
  • Staff contact details
  • Research data Or information or IP with commercial value/obligation

Category - Internal Use

Description

不属于公开的资料,只应在校内分享,但如披露不会对大学及/或个人造成实质损害.

Examples

  • Non-confidential internal correspondence e.g. 日常行政管理,如会议室和餐饮安排
  • Final working group papers and minutes
  • Internal policies and procedures

2.6 Compliance and Incident notification

排行十佳平台信息系统的所有用户遵守信息安全政策是至关重要的. 任何违反信息安全的行为都是严重的问题,并可能导致机密性的丧失, integrity or availability of personal or other confidential data. 这种损失可能导致针对大学的刑事或民事诉讼,也可能导致商业损失和经济处罚.

任何实际或疑似违反本政策的行为都必须根据事件调查程序尽早通知首席数字和信息官或IT安全经理. All security incidents will be investigated and consequent actions may follow in line with this policy; the Acceptable Use Policy; University disciplinary policy; and relevant laws.

根据大学的数据保护政策,数据保护团队将被告知任何影响个人数据的违规行为. 遵守这一政策应成为与第三方签订的任何可能涉及访问大学系统或数据的合同的一部分.

3. Responsibilities

3.1 Individuals

个人必须遵守可接受的使用政策,并遵循相关的辅助程序和指导. 个人应该只访问他们有合法权利访问的系统和信息,而不是故意试图非法访问其他信息. 个人不得帮助或允许其他个人试图非法访问数据. In particular, 个人应遵守以下表格中列出的信息安全“注意事项”:

DO DO NOT
是否使用强密码,并在认为密码可能已被泄露时更改密码 Don’t give your password to anyone
Do report any loss or suspected loss of data Don’t reuse your University password for any other account
一定要警惕那些要求机密信息的虚假邮件或电话——向DD报告任何可疑的事情&T service desk Don’t open suspicious documents or links
Do keep software up to date and use antivirus on all possible devices Don’t undermine the security of University systems
Do be mindful of risks using public Wifi or computers Don’t provide access to University information or systems
Do ensure University data is stored on University systems Don’t copy confidential University information without permission
Do password protect and encrypt your personally owned devices Don’t leave your computers or phones unlocked

3.2 Data Stewards

The responsibilities of a Data Steward

了解他们所负责的全部信息,并根据信息安全原则1对其进行分类. Comply with Research Data policy
确保维护持有或处理其数据的信息系统的数据保管人了解为保护超出正常用户数据的数据而可能需要的任何额外要求.

3.3 Data Custodians

数据保管人负责保存数据的信息系统,通常是系统管理员. In addition to their individual responsibilities 3.1 they must:

  • 确保系统的物理和网络安全.
  • 确保他们维护的系统得到适当的配置、维护和开发.
  • Ensure that the data are appropriately stored and backed up.
  • 确保适当的访问控制已到位,以满足Data steward的要求.
  • Understand and document risks, 采取适当的步骤来减轻并确保数据所有者理解这些问题.
  • Document operational procedures and responsibilities of staff.
  • 为系统用户发布过程,以允许安全访问和使用.
  • 确保系统符合法律和其他合同要求.

3.4 IT Security Manager

负责电子资讯系统保安政策,并为大学提供专业意见, in particular Data Custodians and Data Stewards. 资讯科技保安经理将为任何新引进的资讯系统提供适当的保安措施,以协助政策的清晰明了.

3.5 The Digital, Data & Technology Group

In addition to its function as a data custodian for many systems DD&T必须确保IT基础设施的提供与此策略的要求一致,以支持其他数据保管人.

3.6 Internal Audit

内部审计将确保对数据保管人的流程和分类进行适当的审查.

3.7 University Secretary

大学秘书办公室负责资讯保安培训, the publication of the Information Classification Framework guidance, policy and compliance associated with the Data Protection Act.

4. Supporting regulations, policies and guidelines

排行十佳平台发布的其他政策支持并加强了这一政策声明. These include but are not limited to:

Policy review

大学将在需要时审查此政策,以确保其保持适当和最新. Any questions or concerns should be made to the IT Security Manager.

5 Supporting documents

Document Control Information

Owner: Mark Acres IT Security Manager
Version Number: 1.0
Approval Date: April 2016
Approved By: Executive Committee
Date of Last review: July 2016