St George’s, University of London’s information security policy outlines our policies and procedures for ensuring our information security – specifically, the availability, integrity and confidentiality of all information held by the university and information flows into and out of the institution.
The document covers general aspects of information security, as well as addressing the issues of data protection, data backups, password security, acquisition and disposal of software and hardware, and access and security violations.
The policy applies to all users of St George’s IT services, including visitors, and should be read in conjunction with the St George’s IT conditions of use: core regulations and the guidance on core regulations (PDF).
1.1 The purpose of this document is to provide a clear statement of St Georges, University of London (SGUL) commitment to Information Security in the protection of SGUL and stakeholder information.
1.2 The policy is part of the Information Governance Framework and sits alongside the Information Management Policy
2 Information Security (IS)
2.1 Our aim is to ensure we provide a secure environment and approach in the handling of information and in the most effective and efficient manner possible whilst complying fully with all legal requirements, either explicit or implicit. SGUL IS covers:
- Information Risk – covering Information Risk management, Information Assets and Information Sharing.
- Data Incident Management – covering how to report a data incident and the subsequent investigation into and management of the incident.
- Starters, Movers & Leavers – covering the process to follow, with regards to access to information, when staff either start, change roles or leave SGUL.
- Privacy by Design – Data Protection Impact Assessment procedure to follow when any new system, application or process is procured / implemented or a when a change occurs to an existing system, application or process involving personal data.
- Acceptable use - covers the constraints and practices staff are to adhere to when using SGUL information and IT equipment.
2.2 The application of IS across SGUL is founded on the following guiding principles:
- Information will be protected from loss of confidentiality, integrity and availability.
- Information security requirements will be by assessment of risks.
- Users, resources or processes that store, transmit or process information will only have privileges according to their function.
- All relevant regulatory and legislative information security requirements will be met
- All information security incidents, actual or suspected, must be reported on.
- All new systems or processes, prior to implementations, must undergo a security assessment.
3 Roles and responsibilities
3.1 All staff have a responsibility in how they handle and protect information, details of these roles and responsibilities can be found in the SGUL IG Roles and Responsibilities Guidance.
4 Information Risk
4.1 SGUL recognises that information is a valuable asset and is committed protecting information through preserving Confidentiality, Integrity and Availability. The SGUL Information Risk Policy outlines SGUL management of information risk. To assist in identifying risk SGUL will have a detailed knowledge of its information architecture and information assets across all business functions through the implementation of an information asset register in accordance with the SGUL Information Asset Guidance.
5 Information Sharing
5.1 Sharing of personal information within and outside SGUL will only be carried out in accordance with SGUL Information Sharing Procedure, in compliance with the relevant legislative framework.
5.2 SGUL is committed to sharing personal information across the SGUL and partner organisations to improve service delivery, ensuring that sharing is legal, transparent and proportionate.
6 Data Incident Management
6.1.1 To ensure that SGUL can respond to data security incidents effectively and in a timely manner it is the responsibility of each member of staff to report any suspicion or details about data incidents to their line manager and the Data Protection Officer (DPO) immediately.
6.1.2 Once notified the DPO will initiate the Reporting a Data Incident Process.
6.3 Data security incidents will be investigated by a Senior Manager, as a minimum. The guidelines for carryout an investigation and its subsequent report can be found in the Data Incident Investigation Process.
7 Starter, Mover or Leaver
7.1 It is important that an access registration and de-registration procedure is in place for all SGUL information systems and services whenever a staff member starts, moves roles or leaves SGUL.
8 Privacy by Design
8.1 SGUL will consider all aspects of Data Protection when procuring / implementing any new system, application, process or a when a change occurs to an existing system, application or process. The consideration of risk will be by the completion of a Data Protection Impact Assessment (DPIA) during the procurement or implementation.
8.2 The completion and processes around carryout a DPIA can be found in the Privacy by Design Procedure.
9 IT Conditions of Use
9.1 To enable staff to understand the constraints and practices for the use of all SGUL information and IT equipment, which includes the use of email, internet, voice and mobile IT equipment, an IT Conditions of Use Policy has been written which must be adhered to. A SGUL Guidance on proper and improper use of IT services is to be read and adhered to alongside the Policy.
10.1 Ownership of the IS Policy is with the Head of IT Services and the Data protection Officer reporting to the Information Governance Steering Group (IGS) who provide high level oversight in the determination of the information security management.
10.2 Responsibility for staff compliance with the SGUL IS Policy is with SGUL Executive Board.
10.3 Staff will be made aware of this policy upon publication and on a regular basis afterwards through SGUL internal communications channels, including the Intranet, Staff Update and team briefings.
10.4 New staff will be informed of the policy through the induction process.
11.1 An annual review of IS arrangements will be managed by the IT Services Manager reporting to the IGSG.
11.2 Staff awareness training will be reported quarterly to the IGSG by the SGUL Learning and Development Manager.