The University of Sheffield
Corporate Information and Computing Services

Information Security Policy

The Information Security Policy should be read and adhered to by all users of University computing and information services.

Further policies are available from the links to the right.

Introduction

It is proposed that this paper be adopted by the University as its policy on Information Security, and as a framework within which to consider all specific policies and procedures concerned with information security matters.

Scope

This policy should be read in conjunction with the University´s Information Strategy, which is concerned with all forms of information, independent of the medium. Information Security covers the protection of all forms of information to ensure its confidentiality, integrity and availability (and includes, but is not limited to: information stored on computers, transmitted across networks, printed or written on paper, spoken directly or over a voice network, and held on `identity cards´).

This policy applies to all areas of the University´s business and the people and organisations involved in it, whether on University property or not. This policy covers information and systems under central control, and those controlled by individual users.

Objective

The University depends upon the free and open flow of information, which in turn affects its success as a research-led institution of international standing. The objective of this policy and the associated documents is to protect the University by preventing and limiting the impact of information security problems that might damage the University´s operation, reputation or business.

The policy recognises the concepts of academic and individual freedom, and will aim to ensure that the University: employs appropriate security measures; adopts a suitable methodology for guiding the approach to managing security; and complies with all legal and contractual requirements.

Policy Development and Implementation

The University has already developed detailed policies and procedures that in part implement the requirements of this information security policy, however there are a number of areas that still require specific policies. New policies will be developed and existing ones reviewed. The whole policy will be formally reviewed every 5 years.

The University will designate an individual as Information Security Officer, who will convene a standing committee on information security matters. This body will develop and/or review any policy and procedure developed in this area prior to authorisation, adoption and publication; and will establish an appropriate methodology for guiding the approach to managing security.

Responsibilities

The VC / R&S has (executive) responsibility for all matters of information security in the University. Specific responsibilities will in practice be delegated to CICS and others. The Information Security Officer will have direct access to R&S/VC.

All users of information systems, whether central or individual are responsible for their security. All users must comply with statutory, University and departmental regulations and procedures regarding information security. Staff with responsibility for others must ensure that they are aware of and comply with policy and procedure in this area.

Information Security

The university operates under obligations that arise from legal requirements (e.g. The Data Protection Act 1998); requirements of external bodies (e.g. Janet Acceptable Use policy); contractual requirements (e.g. software licences, data access licences); and internal regulations and rules (e.g. Regulations on the Use of Computing Facilities, IT Code of Practice). All users must comply with these requirements.

The University operates in a potentially hostile environment. The University, its information and/or its information systems, may be damaged by deliberate malicious attack (e.g. break-in, hacking etc); random automated attacks (viruses, probes etc); accidental damage (e.g. accidental deletion or disposal of information etc) or the theft of equipment or information. The University will ensure that all information systems are adequately protected and that appropriate physical security is in place. All users must be aware of the dangers and follow the published rules and guidelines.

With the exception of access to information intended for the general public (e.g. the University Web Site), use of central information systems will be restricted to registered users. There will be a policy and set of procedures that defines eligibility to be registered, the management and review of such access and its removal when appropriate.

The University may intercept any communications on its systems and networks (voice and data) as permitted by the relevant legislation. In particular this includes, but is not limited to, communications and system logs, which may be accessed to detect or investigate unauthorised or inappropriate use.

A specific code of practice (e.g. the Charter for System Administrators) will be established to set out the duties and limitations of the role of system administrator, to promote good practice and offer protection to such staff from possible legal or disciplinary action.

Guidelines setting out an agreed University standard for backup, continuity planning and disaster recovery for both central systems and individual users will be published.

Acceptable use of systems will be defined and guidance on good practice given.

This policy will be published to all members of the University, who will be expected to be familiar with it and to comply with it. All information systems will carry a notice (at log in) to draw the users attention to the policy and that systems may only be used by authorised users for authorised purposes. All relevant documentation, training and publicity will contain advice on good practice relating to information security and will aim to promote a security conscious culture in the University.

Security Incident Response

All incidents involving actual or potential breaches of Information Security must be reported as in published procedures. The University will investigate all security incidents and take action in accordance with this policy; other related documents; University Regulations and discipline procedures; and English Law. Sanctions and possible actions will be published where appropriate.