Transcription
InformationSecurity PolicyFrameworkJanuary 2019Updated February 2022Approving authority:Consultation via:Approval date:Effective date:Review period:Responsible Executive:Responsible Office:Territorial ScopeUniversity ExecutiveProfessional Services Leadership Board, Global InformationGovernance and Data Protection Group29 January 201929 January 2019Five years from date of approvalSecretary of the UniversityInformation Governance, Information ServicesUniversity Group, Global
HERIOT-WATT UNIVERSITYINFORMATION SECURITY POLICY rposeObjectivesScopeLines of responsibilityMonitoring and EvaluationImplementationRelated Policies, procedures and further reference333456789 Definitions10 Further help and advice91011 Policy Version and History10
Heriot-Watt University Information Security Policy Framework1.INTRODUCTIONThis policy sets set out a framework of governance and accountability forinformation security management across the University Group. It formsthe basis of the University Information Security Management System(ISMS). This incorporates all policies and procedures that are required toprotect University information by maintaining Confidentiality: protecting information from unauthorisedaccess and disclosureIntegrity: safeguarding the accuracy and completeness ofinformation and preventing its unauthorised amendment ordeletionAvailability: ensuring that information and associatedservices are available to authorised users whenever andwherever requiredResilience of processing systems and services: the abilityto defend against and mitigate the impact of a physical ortechnical incident and restore the availability and access toinformation in a timely mannerThis policy framework aims to develop a positive culture of informationsecurity throughout the University.2.PURPOSEHeriot-Watt University relies on the effective management and flow ofinformation to enable staff to communicate and work effectively on itsbusiness worldwide. The need to access information must be balancedwith appropriate and proportionate measures to avoid the loss orunauthorised disclosure of confidential information.The purpose of this policy is to establish an effective Information SecurityManagement System to 3.Ensure our business continuityProtect our intellectual property rights, financial interests andcompletive edgeSafeguard the interests and privacy of our students, staff andstakeholders and retain their trustComply with the law and defend ourselves against legal actionMaintain our reputationOBJECTIVESThis policy framework sets set out the University’s senior managementcommitment to information security and establishes a framework ofgovernance, responsibility and accountability for information securitymanagement across the University Group. The policy applies to allinformation created or received in the course of University business.Version 12.1: November 2018Author: Ann JonesURL: y-policy-framework.pdf3
Heriot-Watt University Information Security Policy FrameworkThis policy framework forms the basis of the University InformationSecurity Management System (ISMS) of related policies and procedures,based on the International Standard BS EN ISO/IEC 27001:2017, takinga risk based, proportionate approach to embed appropriate levels ofinformation security controls in the University’s business functions andprocesses.3.1This policy framework sets out generic and specific lines of responsibilityfor information management across the University.All members of the University community have a responsibility to protectall confidential information to which they may have access in the courseof their work.Within this policy framework, the University Executive, Executive Deans,Chief Operating Officers, Global Directors of Professional Services,Division Heads, managers and relevant professional specialists areresponsible for working together with information users to develop,implement, monitor and review the components of the informationsecurity management system.3.2The University takes its responsibilities for information security veryseriously.Any user who breaches information security policy may be liable todisciplinary action and may also be breaking criminal or civil law.Breaches of the policy which place the University at serious financial,commercial or reputational risk or actual loss may be considered as grossmisconduct offences, for which dismissal may be an outcome.4.SCOPE4.1What information is included in the Policy frameworkThis policy framework applies to all information created or received in thecourse of University business in all formats, of any age. This policyapplies to information held or transmitted in paper and electronic formatsor communicated verbally in conversation or over the telephone.4.2Who is affected by the Policy FrameworkThe policy framework applies to all users of University information. Usersinclude all employees and students of the University, all contractors,suppliers, University partners and external researchers and visitors whomay have access to University information.4.3Where the Policy Framework appliesThe policy framework applies to all locations from which Universityinformation is accessed including home use.Version 12.1: November 2018Author: Ann JonesURL: y-policy-framework.pdf4
Heriot-Watt University Information Security Policy FrameworkAs the University Group operates internationally, through its campusesin Dubai and in Malaysia and through arrangements with partners in otherjurisdictions the remit of the policy framework and the Global InformationGovernance and Data Protection Group shall include such overseascampuses and international activities and shall pay due regard to nonUK legislation that might be applicable.5.LINES OF RESPONSIBILITY5.1All users of University information are responsible for Undertaking relevant training and awareness activities providedby the University to support compliance with this policy Taking all necessary steps to ensure that no breaches ofinformation security result from their actions. Reporting all suspected information security breaches or incidentspromptly to ISHelp@hw.ac.uk so that appropriate action can betaken to minimise harm.5.2The Secretary of the University has senior managementaccountability for information security, reporting to the UniversityExecutive and the Audit and Risk Committee on relevant risks andissues.5.3The Global Director of Governance and Legal Services has seniormanagement responsibility for the information security managementand for providing proactive leadership to instil a culture of informationsecurity within the University through clear direction, demonstratedcommitment, explicit assignment, and acknowledgment of informationsecurity responsibilities.5.4The Global Director of Information Services is responsible forrecommending IT and Cyber security policies, maintaining controls toensure that centrally managed IT systems and services take account ofinformation security risks and are integrated into the informationsecurity management system, in line with cybersecurity standards, andfor promoting good practice in IT security among relevant staff.5.5The Head of Information Governance and Data Protection Officer isresponsible for recommending information security policy and ISMS tothe Global Director of Governance and Legal Services, leading on widerinformation governance strategy, policies and procedures and forrecommending any University policies necessary to comply with dataprotection law or other regulations affecting the management ofinformation and records.5.6All Executive Deans, Chief Operating Officers, Institutes andProfessional Services are responsible for implementing the policyVersion 12.1: November 2018Author: Ann JonesURL: y-policy-framework.pdf5
Heriot-Watt University Information Security Policy Frameworkwithin their business areas, and for adherence by their staff. Thisincludes Assigning generic and specific responsibilities for informationsecurity managementManaging access rights for information assets and systems toensure that employees, contractors, agents and other usershave access only to such confidential information as isnecessary for them to fulfil their duties.Ensuring that all colleagues in their business areas undertakerelevant training provided by the University and are aware oftheir accountability for information securityEnsuring that staff responsible for any locally managed ITservices liaise with University Information Services staff to put inplace equivalent IT security controls5.6The Global Director of Human Resources Development isresponsible for reviewing relevant human resources policies andprocedures to integrate with the information security managementsystem, in order to support managers and staff in understanding anddischarging their responsibilities for maintaining information security,through the recruitment, induction, training, promotion, discipline andleaver management processes.5.7The Global Academic Registrar is responsible for reviewing relevantstudent administration policies and procedures to integrate with theinformation security management system and for oversight of themanagement of student records and associated personal data acrossthe University.5.8The Head of Assurance Services is responsible for ensuring thatInformation Security controls are integrated within the risk, businesscontinuity management and audit programmes and for liaising withinsurers to ensure that the ISMS meets insurance requirements.5.9The Head of Safeguarding Services is responsible for ensuring thatcontrols to manage the physical security of the University takes accountof relevant information security risks and are integrated into theinformation security management system.5.10The Global Information Governance and Data ProtectionCommittee is responsible for reviewing the information security relatedpolicies and procedures that comprise the ISMS, monitoring compliancewith the ISMS, reviewing incidents and recommending actions wherenecessary to strengthen information security controls. The Committeewill receive advice and reports from the Higher and Further EducationShared Technology and Information Services (HEFESTIS) Cyber RiskGroup and the IS/IG Information Security Working Group. The GlobalDirector of Governance and Legal Services chairs the Committee. Itsmembership will include the Head of Information Governance and DataVersion 12.1: November 2018Author: Ann JonesURL: y-policy-framework.pdf6
Heriot-Watt University Information Security Policy FrameworkProtection Officer, the Global Director of Information Services andrepresentatives of all the senior stakeholders with responsibilities forinformation security, as set out in the Terms of Reference for theCommittee.6.MONITORING AND EVALUATIONThe Head of Information Governance and Data Protection Officer andthe Head of IS Infrastructure and Service Experience will monitor newand on-going information security risks and recommend updates to theinformation governance and cyber security strategic risk registers,reporting these promptly as required to the Global Director ofGovernance and Legal Services, Global Director of Information Servicesand the Head of Assurance Services. The Head of InformationGovernance and Data Protection Officer and the Head of ISInfrastructure and Service Experience will liaise with the Head ofAssurance Services to ensure that Cyber security, and informationsecurity and information governance risks are also captured on Schooland Professional Service operational risk registers.6.1The Chair of the Global Information Governance and Data ProtectionGroup and the Data Protection Officer will make an annual report to theAudit and Risk Commitee on compliance with the ISMS, recommendingany actions needed to address risks and issues, for inclusion in the Auditand Risk Committee's annual report on risk management control toCourt. The Chair is responsible for escalating major risks arising from abreach of information security, or other major issues that affect strategicand operational risks, promptly to the University Executive and theSecretary of the University. The Chair will report as necessary to theGlobal Operations Executive and the University Executive as part of awider communications strategy to promote a culture of responsibleinformation security management across the University.The Head of Information Governance and Data Protection Officer isresponsible for reporting any information security issues with dataprotection compliance implications to the Secretary of the University andfor liaising with the Information Commissioner’s Office or the relevantSupervisory Authority in relation to data protection compliance matters.The Global Director of Governance and Legal Services is responsible formeeting any reporting requirements of other external regulatory bodies.6.2As part of the University's internal audit programme, the Audit and RiskCommittee will instruct the University’s Internal Auditors to audit themanagement of information security risks and compliance with relevantcontrols, as required.7.IMPLEMENTATIONVersion 12.1: November 2018Author: Ann JonesURL: y-policy-framework.pdf7
Heriot-Watt University Information Security Policy FrameworkThis policy is implemented through the development, implementation,monitoring and review of the component parts of the informationsecurity management systems.These include 8.8.1.Executive Deans and Directors of Professional Servicesundertake information risk assessments to identify and protectconfidential and business critical information assets and ITsystemsCoordination of effort between relevant Heads of Service andprofessional specialists to integrate, Cyber and IT, physicalsecurity, people, information governance, risk management andbusiness continuity to deliver effective and proportionalinformation security controlsReview and refresh of all relevant policies and proceduresDesignation of information governance coordinators for eachareaGeneric and role specific training and awarenessEmbedding information governance requirements intoprocurement and project planningInformation security incident management policies andproceduresBusiness continuity managementMonitoring compliance and reviewing controls to meet businessneedsRELATED POLICIES, PROCEDURES AND FURTHER REFERENCEUniversity Policies and proceduresThis policy provides the framework for an interconnected set ofUniversity Information Governance and IT Policies and procedures.These aim to develop a positive culture of information governancethroughout the University through the development of a holisticInformation Security Management System (ISMS) to protect Universityinformation by maintaining its confidentiality, integrity, availability andresilience.This policy framework should be read in conjunction with all otherUniversity information management policies, which are reviewed andupdated as necessary to maintain an effective Information SecurityManagement System to meet the University’s business needs and legalobligations. Relevant polices are published on the University website atOur policies Heriot-Watt UniversityManagers of staff whose roles do not require University IT access areresponsible for briefing their staff on their responsibilities in relation toall polices that affect their work.Version 12.1: November 2018Author: Ann JonesURL: y-policy-framework.pdf8
Heriot-Watt University Information Security Policy Framework8.2Legal Requirements and external standardsEffective information security controls are essential for compliance withU.K. and Scottish law and other relevant law in all jurisdictions in whichthe University operates.Legislation that places specific information security and record keepingobligations on organisations includes, but is not limited to:Computer Misuse Act 1990UK Data Protection Act 2018UK General Data Protection Regulation (UK GDPR)Environmental Information (Scotland) Regulations 2004Freedom of Information (Scotland) Act 2002Privacy and Electronic Communications Regulations 2003Regulation of Investigatory Powers Act 2000Regulation of Investigatory Powers (Scotland) Act 2000Telecommunications (Lawful Business Practice) (Interception ofCommunications) Regulations 2000.All current UK Legislation is published at https://www.legislation.gov.uk/Information Governance staff can advise on specific legal andregulatory requirements affecting records and information management.This policy also maps to BS ISO 27001 Information SecurityManagement.9.DEFINITIONSInformationThe definition of information includes, but isnot confined to, paper and electronicdocuments and records, email, voicemail,still and moving images and soundrecordings, the spoken word, data storedon computers or tapes, transmitted acrossnetworks, printed out or written on paper,carried on portable devices, sent by post,courier or fax, posted onto intranet orinternet sites or communicated using socialmedia.Confidential informationThe definition of confidential informationcan be summarised as: Any personal information that wouldcause damage or distress toindividuals if disclosed without theirconsent.Version 12.1: November 2018Author: Ann JonesURL: y-policy-framework.pdf9
Heriot-Watt University Information Security Policy Framework Any other Information that wouldprejudice the University's or anotherparty’s interests if it were disclosedwithout authorisation.A more detailed definition can be found inthe University Information SecurityClassification SchemeInformation SecurityManagement System10.“An Information Security ManagementSystem (ISMS) consists of the policies,procedures, guidelines, and associatedresources and activities, collectivelymanaged by an organization, in the pursuitof protecting its information assets. AnISMS is a systematic approach forestablishing, implementing, operating,monitoring, reviewing, maintaining andimproving an organization’s informationsecurity to achieve business objectives. Itis based upon a risk assessment and theorganization’s risk acceptance levelsdesigned to effectively treat and managerisks.” - BS EN ISO/IEC 27000:2017FURTHER HELP AND ADVICEFor further information and advice about this policy and any aspect ofinformation security contact:Information GovernanceTelephone: 44 (0)131 4513216/3274/3219Email: Infogov@hw.ac.uk11.Information ServicesTelephone 44 (0)131 451 4045Email: ISHelp@hw.ac.ukPOLICY VERSION AND HISTORYVersion NoV12.203/03/2022Date ofApprovalV12.122/11/2018Approved29 January2019ApprovingBrief Description ofAuthorityAmendmentUniversityV12.2 Minor updates toExecutivereflect legal andorganisational changesVersion 12.1: November 2018Author: Ann JonesURL: y-policy-framework.pdf10
Heriot-Watt University Information Security Policy FrameworkV12.1 Roles and remitupdated and territorialscope added to title page.Update of Version 11approved September 2013Version 12.1: November 2018Author: Ann JonesURL: y-policy-framework.pdf11
information security risks and are integrated into the information security management system, in line with cybersecurity standards, and for promoting good practice in IT security among relevant staff. 5.5 The Head of Information Governance and Data Protection Officer is responsible for recommending information security policy and ISMS to
![Baseline IT Security Policy [S17] - GovCERT](/img/42/s17-v7-en.jpg)
