This policy outlines the approach of the Department of Biochemistry ('the department') to information security management and provides the guiding principles and responsibilities to ensure the department's security objectives are met.
This policy is applicable across the department and individually applies to:
- all individuals who have access to departmental information and technologies;
- all facilities, technologies and services that are used to process departmental information;
- information processed, in any format, by the department pursuant to its operational activities;
- internal and external processes used to process departmental information; and
- external parties that provide information processing services to the department.
The department's objectives for information security are that:
- a culture is embedded to ensure all teaching, research and administration activities consider information security;
- individuals are aware and kept informed of their information security responsibilities;
- information risks are identified, managed and mitigated to an acceptable level;
- authorised users can securely access information to perform their roles;
- facilities, technologies and services adequately balance usability and security;
- implemented security controls are pragmatic, effective and measurable;
- contractual, regulatory and legal obligations relating to information security are met; and
- incidents are effectively managed and resolved, and learnt from to improve our control environment.
4. Information Security Policy Framework (ISPF)
Information is critical to the department's operations and failure to protect information increases the risk of financial and reputational losses. The department is committed to protecting information, in all its forms, from loss of confidentiality, integrity and availability, ensuring that:
- all staff complete information security awareness training;
- information security risk is adequately managed and risk assessments on IT systems and business processes are performed where appropriate;
- all relevant information security requirements of the department are covered in agreements with any third-party partners or suppliers, and compliance against these is monitored;
- appropriate information security controls are implemented to protect all IT facilities, technologies and services used to access, process and store departmental information;
- all information security incidents are reported in a timely manner via appropriate management channels, information systems are isolated, and incidents properly investigated and managed;
- Information Asset Owners are identified for all departmental information assets, assets are classified according to how critical and sensitive they are, and rules for their use are in place; and
- information security controls are monitored to ensure they are adequate and effective.
To provide the foundation of a pragmatic information security framework, the department will implement a set of minimum information security controls, known as the baseline, either as published by the University's Information Security Team or of equivalent strength. Where research, regulatory or national requirements exceed this baseline, controls will be increased at necessary service or project level. Where it is not possible or practicable to meet the baseline, exceptions will be documented to justify the deviation and appropriate compensating controls will be put in place. The baseline will support the department in achieving its information security objectives.
The policy and the baseline shall be communicated to users and relevant external parties, and linked to from the website.
The following bodies and individuals have specific information security responsibilities:
- The Head of Department is accountable for the effective implementation of this information security policy, and supporting information security rules and standards, within the department.
- The IT Management Committee has executive responsibility for information security within the department. Specifically, the IT Management Committee has responsibility for overseeing the management of the security risks to departmental staff and students, its infrastructure and its information.
- The Infrastructure & Security Manager is responsible for establishing and maintaining the department's information security management framework to ensure the availability, integrity and confidentiality of departmental information. The Infrastructure & Security Manager will lead on the definition and implementation of departmental information security arrangements.
- Line managers are responsible for ensuring that all staff they manage are made aware of the policy and are given appropriate support and resources to comply.
- Users are responsible for making informed decisions to protect the information that they process.
The department shall conduct information security compliance and assurance activities, facilitated by the University's Information Security Team, to ensure information security objectives and the requirements of the ISPF are met. Wilful failure to comply with the policy and baseline will be treated extremely seriously by the department and may result in enforcement action on a group and/or an individual.
7. Review and Development
This policy, and supporting ISPF documentation, shall be reviewed and updated by the Infrastructure & Security Manager and approved by the IT Management Committee on an annual basis to ensure that they:
- remain operationally fit for purpose;
- reflect changes in technologies;
- are aligned to industry best practice; and
- support continued regulatory, contractual and legal compliance.
Note: University guidance on information security is given at
This policy was reviewed and approved by the IT Management Committee on 17 October 2018