Cyber Security Policy

Purpose
 
Information that’s collected, analysed, stored, communicated and reported upon may be subject to theft, misuse, loss and corruption. Information may be put at risk by poor education and training, and the breach of security controls.
 
Information security incidents can give rise to embarrassment, financial loss, non-compliance with standards and legislation, as well as possible judgements being made against MY ITS.
 
This high level Information Security Policy sits alongside the ‘Information Risk Management Policy’ and ‘Data Protection Policy’. This is to provide the high-level outline of, and justification for, MY ITS’s risk-based information security controls.
 
Objectives
 
MY ITS’s security objectives are that:
 
• our information risks are identified, managed and treated according to an agreed risk tolerance
• our authorised users can securely access and share information in order to perform their roles
• our physical, procedural, and technical controls balance user experience and security
• our contractual and legal obligations relating to information security are met
• our teaching, research, and administrative activity consider information security
• individuals accessing our information are aware of their information security responsibilities
• incidents affecting our information assets are resolved and learned from to improve our controls
 
Scope
 
The Information Security Policy and its supporting controls, processes, and procedures apply to all information used at MY ITS, in all formats. This includes information processed by other organisations in their dealings with MY ITS.
 
The Information Security Policy and its supporting controls, processes, and procedures apply to all individuals who have access to MY ITS information and technologies. This includes external parties that provide information processing services to MY ITS.
 
Compliance monitoring
 
Compliance with the controls in this policy will be monitored by the Information Security Team and reported to the Information Governance Board.
 
Review
 
A review of this policy will be undertaken by the Senior Technician. This will be done annually or as required and will be approved by the Directors.
 
Policy Statement
 
It is MY ITS’s policy to ensure that information is protected from a loss of:
 
• confidentiality – information will be accessible only to authorised individuals
• integrity – the accuracy and completeness of information will be maintained
• availability – information will be accessible to authorised users and processes when required
 
MY ITS will implement an Information Security Management System based on certified standards as required.
 
MY ITS will be mindful of the approaches adopted by its stakeholders, including research partners.
 
MY ITS will adopt a risk-based approach to the application of the following controls:
 
I) Information security policies
 
A set of lower-level controls, processes, and procedures for information security will be defined, in support of the high-level Information Security Policy and its stated objectives. This suite of supporting documentation will be approved by the Senior Technician published and communicated to MY ITS users and relevant external parties.
 
II) Organisation of Information security
 
MY ITS will define and implement suitable governance arrangements for the management of information security. This will include identification and allocation of security responsibilities, to initiate and control the implementation and operation of information security within MY ITS.
 
MY ITS will appoint:
 
• an Information Security specialist to manage the day-to-day information security function
• Information Asset Owners (IAOs) to assume local accountability for information management
• Information Asset Managers (IAMs) responsible for day-to-day information management
 
III) Human resources security
 
MY ITS’s security policies and expectations for acceptable use will be communicated to all users to ensure that they understand their responsibilities. Information security education and training will be made available to all staff. Poor or inappropriate behaviour will be addressed.
 
Where practical, security responsibilities will be included in role descriptions, person specifications, and personal development plans.
 
IV) Asset management
 
All assets will be documented and accounted for. This includes:
 
• information
• software
• electronic information processing equipment
• service utilities
• people
 
Owners will be identified for all assets and they will be responsible for the maintenance and protection of their assets.
 
All information assets will be classified according to their legal requirements, business value, criticality, and sensitivity. Classification will indicate appropriate handling requirements. All information assets will have a defined retention and disposal schedule.
 
V) Access control
 
Access to all information will be controlled and will be driven by business requirements. Access will be granted or arrangements made for users according to their role and the classification of information, only to a level that will allow them to carry out their duties.
 
A formal user registration and de-registration procedure will be maintained for access to all information systems and services. This will include mandatory authentication methods based on the sensitivity of the information being accessed and will include consideration of multiple factors as appropriate.
 
Specific controls will be implemented for users with elevated privileges, to reduce the risk of negligent or deliberate system misuse. The separation of duties will be implemented, where practical.
 
VI) Cryptography
 
MY ITS will provide guidance and tools to ensure the proper and effective use of cryptography to protect the confidentiality, authenticity, and integrity of information and systems.
 
VII) Physical and environmental security
 
Information processing facilities are housed in secure areas, physically protected from unauthorised access, damage, and interference by defined security perimeters. Layered internal and external security controls will be in place to deter or prevent unauthorised access and protect assets. This includes those that are critical or sensitive, against forcible or hidden attacks.
 
VIII) Operations Security
 
MY ITS will ensure the correct and secure operations of information processing systems. This will include:
 
• documented operating procedures
• the use of formal change and capacity management
• controls against malware
• defined use of logging
• vulnerability management
 
IX) Communications Security
 
MY ITS will maintain network security controls to ensure the protection of information within its networks. MY ITS will also provide the tools and guidance to ensure the secure transfer of information both within its networks and with external entities. This is in line with the classification and handling requirements associated with that information.
 
X) System acquisition, development and maintenance
 
Information security requirements will be defined during the development of business requirements for new information systems or changes to existing information systems.
 
Controls to reduce any risks identified will be implemented where appropriate. Systems development will be subject to change control and separation of test, development, and operational environments.
 
XI) Supplier relationships
 
MY ITS’s information security requirements will be considered when establishing relationships with suppliers, to ensure that assets accessible to suppliers are protected.
 
Supplier activity will be monitored and audited according to the value of the assets and the associated risks.
 
XII) Information security incident management
 
Guidance will be available on what constitutes an information security incident and how this should be reported. Actual or suspected breaches of information security must be reported and will be investigated. The appropriate action to correct the breach will be taken, and any learning built into controls.
 
XIII) Information security aspects of business continuity management
 
MY ITS will have in place arrangements to protect critical business processes from the effects of major failures of information systems or disasters. This is to ensure their timely recovery in line with documented business needs. This will include appropriate backup routines and built-in resilience.
 
Business continuity plans must be maintained and tested in support of this policy. Business impact analysis will be undertaken, detailing the consequences of:
 
• disasters
• security failures
• loss of service
• lack of service availability
 
XIV) Compliance
 
The design, operation, use, and management of information systems must comply with all statutory, regulatory, and contractual security requirements.
 
Currently, this includes:
 
• data protection legislation
• the payment card industry standard (PCI-DSS)
• the government’s Prevent strategy
• MY ITS’s contractual commitments
 
MY ITS will use a combination of internal and external audits to demonstrate compliance against chosen standards and best practices, including against internal policies and procedures. This will include:
 
• IT health checks
• gap analyses against documented standards
• internal checks on staff compliance
• returns from Information Asset Owners
 
Review of this document: annually by our Senior Technician.
 
Next review date: March 2024.