Information Security Policy
This policy is divided into two parts.
- Part 1 deals with the broad objectives of information security and the division of responsibility between different groups within the department.
- Part 2 sets out the detailed procedures and practices that need to be followed by all end-users in order to implement the policy's objectives.
Part 1 - OBJECTIVES AND ORGANISATION OF INFORMATION SECURITY
1. Policy statement
The Department of Biochemistry ('the department') is committed to protecting the security of its information and information systems.
The information it manages shall be appropriately secured to prevent breaches of confidentiality, failures of integrity or interruptions to the availability of that information, as well as to ensure appropriate compliance.
The department shall provide education and training in information security and raise awareness of its importance.
To determine the appropriate level of security control that should be applied to information systems, a process of risk assessment shall be carried out in order to define security requirements and identify the probability and impact of security breaches.
Specialist advice on information security shall be made available throughout the department and advice can be sought via the University's Information Security pages (http://help.it.ox.ac.uk/service/information-security) and/orOxCERT (http://help.it.ox.ac.uk/network/security/index).
2. Importance of information security
The department's computer and information systems underpin all departmental activities and are essential for the performance of its research, teaching and administration functions.The department recognises the need for its staff, students, visitors and contractors to have access to the information they require in order to carry out their work and recognises the role of information security in enabling this. Security of information is essential to maintaining the continuity of its activities and to its compliance with University regulations and policies.
In July 2012, Council approved an information security policy that provides a general framework for the management of information security throughout the University. However, in order to accommodate local differences in security requirements, each department or unit is required to formulate its own information security policy.
This policy supplements the University's overarching policy and defines the framework within which information security will be managed across the department. It is the primary departmental policy under which all other technical and security related polices reside. Annex A provides a list of all other policies and procedures that support this policy.
This policy is applicable to and will be communicated to all staff, students and other relevant parties, including visitors and contractors. It covers, but is not limited to, any systems or data attached to the department's computer or telephone networks, any systems supplied by the department, any communications sent to or from the department and any data accessed by departmental users - which is owned either by the University or the department - held on systems external to the department's network.
5. Roles and responsibilities
The Head of Department is ultimately responsible for the maintenance of this policy and for its implementation within the department. This policy has been approved by the department's IT Management Committee and forms part of its policies and procedures.
The IT Management Committee is responsible for reviewing this policy on an annual basis. It will provide clear direction, visible support and promote information security through appropriate commitment and adequate resourcing.
The Infrastructure & Security Manager is responsible for the management of information security and, specifically, for providing advice and guidance on the implementation of this policy.
It is the responsibility of all line managers within the department to ensure that all staff for which they are responsible are 1) made fully aware of the policy; and 2) given appropriate support and resources to comply.
It is the responsibility of each user to comply with this policy, and with all other policies and procedures relating to information security. If a user is uncertain whether a particular activity is permissible under this or related policies, they should consult their line manager or the Infrastructure & Security Manager.
Part 2 - DETAILED PROCEDURES AND PRACTICES
This part is directed at end users and sets out the procedures and practices you need to follow in order to implement the objectives identified in Part 1, particularly in relation to the protection of confidential information.
6. Definition of confidential information
For this purpose, confidential information is any information that is not intended to be publicly available. If the loss or unauthorised disclosure of information could have adverse consequences for the University or individuals, it is confidential.
Given the potentially serious consequences of breaching the Data Protection Act (DPA), you should assume that all personal data is confidential. (Personal data is any data that identifies a living individual e.g. a CV, email address, reference, job or course application, home contact details, etc.)
Examples of confidential information, involving both personal data and business information, are at Annex B.
7. Use of mobile devices
Users of mobile devices should follow the guidance at https://www.infosec.ox.ac.uk/want/mobile
The use of mobile devices (laptops, USB/memory sticks, smart phones, tablets, etc) is an area of high risk, because they can be easily lost or stolen. It is essential that such devices be appropriately secured.
You must use an authentication method that follows the guidance at http://help.it.ox.ac.uk/registration/index#passwords
You should apply the latest security patches to your device.
When using your device on an unsecured public wireless network to connect to the University network, you must use a secure protocol such as the Biochemistry OpenVPN service (http://www.bioch.ox.ac.uk/openvpn), the University VPN service (http://help.it.ox.ac.uk/network/vpn/index), ssh or https.
Applications should be installed only from trusted locations.
Encryption of laptops and USB/memory sticks
Any laptop or USB/memory stick containing confidential data must be encrypted and the keys managed in accordance with the policies and guidelines at http://www.it.ox.ac.uk/policies-and-guidelines/is-toolkit/encryption
Other devices (tablets, smartphones, blackberrys)
There are a range of ways to secure other devices and if the device is to be used to handle confidential information, it must be appropriately secured, in accordance with the principles stated in the Information Security toolkit (http://www.it.ox.ac.uk/policies-and-guidelines/is-toolkit/mobile-security-smartphones-tablets). If this cannot be done, you must not use the device to hold or transmit confidential data.
8. Information exchange (including email and cloud services)
Email is not a secure form of communication, and ideally you should not use it to send confidential information, or at least minimise the amount you send in this way.
You should first consider communicating confidential information by a more secure method than email. If a suitable alternative is not available, you should consider encrypting the message and/or attachment. Further information is available at http://help.it.ox.ac.uk/email/secure/index
You must ensure that emails containing confidential data are sent to the correct address and do not rely solely on any 'autocomplete' function. You should take particular care when selecting an address from a directory.
The University provides its own cloud services (http://www.it.ox.ac.uk/nsms/private-cloud) and these should be considered ahead of public services.
When sending confidential data by fax, you must ensure you use the correct number and that the recipient is near to the machine at the other end ready to collect the information immediately it is printed.
When sending confidential documents by post, whether internal or external post, you must ensure that the envelope is sealed securely, marked 'Private and confidential', and addressed correctly.
Confidential data should be stored on departmental file servers and not on local hard drives.
You should set appropriate file and directory (folder) permissions where these are under your control.
Confidential data must be password protected or encrypted when held on any storage device.
Having access to a shared drive does not imply that you have permission to view all the folders/files on that drive. You should view only the information you need to carry out your work.
You must not under any circumstances share your password with others or allow others to use your account to access the department's network or other resources.
Passwords should not be easy to guess. See http://help.it.ox.ac.uk/registration/index#passwords for guidance.
11. Remote access
Only trusted machines, not public kiosk machines, should be used to connect to the University network remotely.
Home computers used for remote access must use a currently supported operating system, and be protected by a firewall, anti-virus software and by the installation of security updates.
12. Copying and working off-site
To avoid the risks of taking copies of confidential information off-site, you should whenever possible use remote access facilities to look at confidential information held on University systems.
Confidential data should not be downloaded from a secure system (e.g. OSS, Oracle Financials, DARS) unless strictly necessary.
You should ensure that any copies you make of confidential data are the minimum required and that they are deleted or destroyed when no longer needed.
Critical files (ie those whose loss would be detrimental to the department or the owner) must be backed-up via the University HFS service (http://help.it.ox.ac.uk/hfs/index), or they must be stored on a departmental server that is backed up regularly. No further backups of confidential files should normally be taken.
Before data is encrypted, you must ensure that any of it that is critical is securely backed-up.
You must ensure that mobile devices containing backup copies of critical data are securely stored (see section 15 below on physical security).
When disposing of surplus or obsolete mobile devices containing confidential data, you must ensure that any confidential data is removed permanently from the device (deleting the visible files is not sufficient).
You must remove any files or papers before disposing of office furniture.
Confidential documents must be shredded when no longer needed.
15. Physical security
You must lock your workstation, laptop or tablet when leaving your desk and, when possible, log out when leaving for the day.
Confidential data, held either in printed form or on electronic media, must be stored in a locked cupboard, cabinet or drawer. If this is not possible, you must lock the room when it is unoccupied.
Keys to cupboards, drawers or cabinets must not be left on open display when the room is unoccupied.
When travelling with a mobile device, you must take reasonable care to reduce the risk of loss or theft.
You should not read confidential data in areas where it can be easily viewed by others.
Suspected or actual security incidents e.g. the theft or loss of a mobile device, or a virus attack, should be reported immediately to Biochemistry IT Support.
The department shall keep a record of all security incidents and follow the University's advice for the escalation and reporting of such incidents. Incidents involving personal data shall be reported to the University's Data Protection Team.
Any failure to comply with this policy may result in disciplinary action.
Supporting Policies and Procedures
Local policies for IT Job Requests, Network Accounts, Network Equipment, Server Room, and IT Equipment Disposal are given at
A comprehensive set of policy documents, regulations and guidance.
Regulations and Policies applying to all users of University ICT facilities. These apply to all staff, University and non-University library members and other relevant parties, including visitors and contractors.
Examples of confidential information
Examples of personal data1
- Any set of data that could be used for fraud or identity theft, including but not limited to bank account or credit card details, national insurance number, passport number, home address, date of birth
- Data relating to an individual's application for a job, performance in a job interview, work performance, promotion or disciplinary record
- Data relating to a student's academic performance or disciplinary record
- Data relating to an individual's personal or family life e.g. their interests, hobbies, relationships
- Any sensitive personal data, as defined in the DPA i.e. information relating to:
- health (mental or physical), including disability
- ethnicity or race
- sexual life
- trade union membership
- political opinions
- religious beliefs
- commission or alleged commission of a criminal offence
- criminal proceedings
Examples of business information
- Information provided to the University on the understanding that it is confidential, whether explicit or assumed
- Information the disclosure of which would disadvantage the University's position in negotiations, whether commercial or otherwise
- Reorganisation or restructuring proposals that would have a significant impact on individuals, prior to a decision being announced
- Exam questions before the examination takes place
- Security arrangements for buildings or for high profile visitors or events
- Papers discussing proposed changes to policies or procedures on high profile or sensitive issues, before the changes are announced
Any recorded information, hard copy or electronic, which identifies a living individual e.g. name, email address, reference, CV, photograph
This policy was approved by the IT Management Committee on 20 January 2016
Page Last Updated: 23/01/2017 by John Elder
© 2017 Department of Biochemistry
View Printer-friendly version of this page