All University web hosted services will be at risk of downtime every Tuesday between 7am to 9am.

Jump to accessibility statement Skip to content
Working

Information Security Policy

The following is a web version of the current University of Sunderland Information Security Policy

1. Introduction and Purpose

1.1 Information security is concerned with all information, in electronic and paper format. The main purpose of implementing good information security is to allow the effective and efficient use of information, whilst safeguarding the organisation’s data from unauthorised access or modification, to ensure its availability, confidentiality and integrity.

1.2 This high-level policy is a key component of the University’s overall approach to information governance and should be considered alongside all other information governance and cybersecurity policies.

1.3 The aim of this policy is to advise staff and contractors of their obligations with regards to confidentiality and where to seek further guidance and assistance. The objectives of this policy are to preserve: 

  • Confidentiality – Access to data shall be confined to those with appropriate authority.
  • Integrity – Information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification.
  • Availability – Information shall be available and delivered to the right person, at the time when it is needed.

2. Scope

2.1 This policy applies to:

  • The University of Sunderland;
  • All subsidiary companies of the University of Sunderland;
  • All staff of the University of Sunderland and its subsidiary companies;
  • All contractors, suppliers and other people working on behalf of the University of Sunderland or its subsidiary companies.

2.2 It applies to all data that the University of Sunderland holds.

3. Definitions

3.1 System Level Security Policies (SLSPs) – Documentation specific to a system or systems, covering security and management procedures in place to ensure the security of the system.

3.2 Information Security Management System (ISMS) – The governing principle behind an ISMS is that an organisation should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

3.3 Information Asset – Information held which is of value to an organisation. This is generally a body of records or information managed as a single entity.

3.4 Information Security Incident – is any incident which affects the confidentiality, integrity or availability of any information of value to the University.

 

 

4. Roles and Responsibilities

4.1 Everyone who works for or with the University of Sunderland and its subsidiary companies has some responsibility for ensuring data is collected, stored and handled appropriately. Each team that handles data must ensure that it is handled and processed in line with this policy.

4.2 The Board of Governors is ultimately responsible for ensuring that the University of Sunderland and its subsidiary companies meets its legal obligations.

4.3 Overall responsibility for this policy lies with the University’s Senior Information Risk Owner (SIRO), who will be a member of the Senior Leadership Board.

4.4 The Information Governance Manager and Data Protection Officer is responsible for drawing up all information governance policies, including data protection and information security policy. Developing process and guidance for all of the Information Governance (IG) policy areas and providing advice and guidance on the collection, use and protection of all types of information.

4.5 The Cyber Security Architect is responsible for developing IT security policy, standards and guidelines. He/She is also responsible for ensuring that effective IT security systems, controls and training programs are operationally implemented, fit for purpose and available across the University.

4.6 The Academic Deans and Directors of Service have responsibility for ensuring compliance with information governance policies within their areas of responsibility, and will assume the role of Information Asset Owner within their areas of responsibility. The Information Asset owner will assign information asset administrator(s) from their areas of responsibility.

4.7 Information Asset Administrators are accountable to their Academic Dean / Director and will be the day to day contact for the IG Team and wider service users, and will be responsible for monitoring compliance with IG policy, within their faculty / service.

 

 

5. Policy Details

5.1 All information handled by the University will be handled in line with all applicable laws and regulations.

5.2 All relevant University records and information will be classified, in line with the Information Classification Process.

5.3 All records and information will be organised into groups known as Information Assets where it is appropriate to do so.

5.4 All Information assets will be risk assessed, following the Information Risk Management processes and procedures. The outcome of each risk assessment will be shared and where necessary, appropriately acted upon.

5.5 All access to information assets will be controlled by the appropriate asset owner / administrator, ensuring a minimum required access model is followed. Access will be periodically reviewed and amended as applicable.

5.6 All information security incidents will be centrally reported, and where applicable, remedial recommendations will be made and followed up. Reporting of information security incidents will be carried out in line with the Information Security Incident reporting procedure.

5.7 Information Asset Owners shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks.

5.8 Where information is being shared, stored or processed outside of the University controlled environment, sufficient assessment will be carried out on the recipient to ensure the security of our data. All data sharing activity will be covered by appropriate data sharing agreements or other contractual clauses.

5.9 All technical security measures, will be taken where appropriate so to protect information, details of technical security measures can be found in the IT Security Policy and associated documentation.

5.10 Where there is a requirement to operate outside of the bounds of this policy, such activity will be signed off by an appropriate Information Asset Owner with an appropriate assessment of the risks and held centrally by the Information Governance Team.

6. Training and Education

6.1 All staff will receive training as part of their Cyber Security and Data Protection Training.

6.2 Staff identified as Information Asset Owners or Administrators will receive additional training above and beyond the basic staff training. This will be delivered face to face by a member of the Cyber Security or Information Governance Team.

6.3 This policy will be uploaded to the policy management tool with all staff prompted to review the policy. An analysis of staff uptake will be monitored, with follow up communications issued as necessary.

6.4 This policy will be uploaded to the Technical Services website along with all associated processes, procedures and guidance notes.

 

7. Documents

7.1 All staff should also be aware of the following policies:

  • Data Protection Policy
  • IT Security Policy
  • Corporate Records Management Policy

 7.2 All staff should be aware and where applicable, follow the processes and procedures outlined in the following documents:

  • Information Classification Process
  • Understanding Information Assets
  • Information Risk Management Process
  • Information Security Incident Reporting Process
  • Sharing Information with Others