Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Appendix to Information Security Policy Security of Electronic Information Introduction

advertisement 
Appendix to Information Security Policy
Security of Electronic Information
Introduction
The Information Security Policy states that the University ‘is committed to ensuring
that the information it manages is appropriately secured to protect against the
consequences of breaches of confidentiality, failures of integrity or interruptions to
the availability of that information.’ It is understood that these requirements, if
regarded as absolute, would be mutually incompatible, and it is the responsibility of
all managers of electronic information to make a judgement on the balance between
ensuring the integrity and availability of their data on the one hand, and maintaining
confidentiality on the other. It is the responsibility of IT Services to provide an
environment in which a reasonable balance can be struck.
IT Services is responsible for providing a secure environment in which it is
reasonable for the University and its students and employees to store and transfer
information on and between networked computers, provided appropriate care is
taken by all users. This appendix outlines where responsibility for taking care lies.
If the University, its students and its employees are justified in feeling confident in
the security of the environment, a reasonably free-flow of information within the
network is possible. It is important that the University encourages a culture of
security as a prerequisite for a culture of openness.
Definitions of roles
This appendix describes the responsibilities of the University and its staff and
students in respect of the security of electronic information. All members of the
University have responsibilities as computer users; in additon some members of the
University may have responsibilities as line managers or data managers.
Computer user: All members of staff and students of the University are required to
make use of computers and are authorised to do so. In addition external persons
who have been sponsored by a member of staff may be authorised to use the
University’s computer and network facilities. All computer users have
responsibilities in respect of the data that they create or use.
Line managers: The University is organized in such a way that members of staff are
supervised by and report to others within the University structure. How this is
organized in detail varies from one School or Unit to another. It is the responsibility
of the head of the School or Unit to ensure that all members of the School or Unit are
adequately supervised in respect of the handling and security of electronic data. The
term line manager is used to refer to heads of Schools or Units, and to those delegated
by them to exercise management and supervisory functions in respect of other
members of staff. In the case of students when they are handling data as part of their
studies or research, their course co-ordinators or supervisors are in the position of
line managers. In the case of external users, their sponsors are in the position of line
managers.
Data managers: It must always be clear who is responsible for the management of
data that is used within the University, whether it is generated locally or acquired
1
from elsewhere. In the case of a single document it will usually be the creator of the
document who is the data manager. In the case of each of the major databases used
in the University administration it should be recognised which Unit is responsible for
it, and the data manager is the Head of that unit or their named deputy. The data
manager is responsible for assessing the security implications of giving access to the
data, and for defining who is to have access to the data, and under what conditions.
Since administrative data is routinely shared amongst members of more than one
School or Unit, the role of the data manager is distinct from that of the line manager.
The data management role is sometimes loosely described as ownership of the data.
Although Units and heads of Units do not own the data that they manage, the term
serves to highlight the rights and duties that data managers have in respect of the
data they manage.
The secure environment
A secure network
IT Services provides a network which is adequately secured against intrusion. The
University’s Network Connection Policy [awaiting approval] is intended to ensure
that no device will be connected to the network which will undermine its security. It
also defines the classes of users who are permitted to attach devices to the network.
Authentication and authorisation
IT Services provides each computer user with authentication tokens (username and
password). These make it possible to restrict access to the network, and provide data
managers with a tool by which to restrict access to information to authorised users or
groups of users.
Managed backups
IT Services uses the network to carry out regular backups of information held on
University systems. This does not include data held on personal computers.
IT Services provides advice on backup procedures for users of personal computers.
Responsibilities
In addition to the role of IT Services described above, other parties (computer users,
their line managers, and the managers of data) are responsible for contributing to the
security of this environment:
 Data managers are responsible for deciding the security requirements of the
information that they hold and for using the authentication and authorisation
mechanisms to limit access to it
 Data managers are responsible for ensuring that adequate backups of their
information are obtained; where the ITS managed backups are inadequate or
unsuitable local backups should be made
 Users must comply with the network connection policy
 Users must have a secure password and must not reveal it to others
 Users must follow best practice guidelines on maintaining the security of
their computers systems: eg by password-protection and by keeping antimalware software up-to-date
 Users must maintain the physical security of their computers, eg by locking
doors, and preventing unauthorised people from looking at the screen
2


Line managers are responsible for ensuring that their staff comply with their
obligations as users; they should provide an environment favourable to
compliance and ensure that their staff have the resources and training
required for compliance
The University Executive will encourage a culture of security, and where
necessary impose disciplinary sanctions on students or employees if they
breach the Network Connection Policy or compromise the security of their
passwords
Outside the secure environment
Particular care is needed when information is permitted to pass beyond the secure
environment. This does not refer only to data being taken away from University
premises. Data is outside the secure environment as soon as it is committed to any
form of removable or portable storage medium, including paper. All computer disks
and indeed computers are to some extent portable.
Examples of ways in which data routinely leaves the secure environment include the
following:
 whenever information is printed, whether or not the printer itself is in a
physically secure location
 when information is sent by email, even if the recipients are other University
computer users. This includes sending documents, spreadsheets etc as
attachments
 when information is stored on a laptop or on removable storage such as
CD/DVD, memory stick or removable hard disk. This includes cases where
removable storage is used for backup purposes
 when a computer is moved from one location to another, including when it is
discarded at the end of its life
 when using a Virtual Private Network (VPN). In this case information
restricted to the University network becomes available to authenticated users
outside the University network, and so can be stored on computers outside
the network
 when authenticated access to information is given via the web to users
outside the network. Information may then be explicitly downloaded and/or
silently stored in the local cache
All these techniques may legitimately be used to enable the work of the University to
proceed, but they must be used with care.
Technical solutions are available to meet some of the eventualities described above,
including:

encryption of data on hard disks and removable media

password protection of files

secure erasure of no longer wanted data

deletion of temporary Internet files

access restrictions – restricting who can access which data and from where,
and how
3
Responsibilities

IT Services should provide up-to-date guidance on technical solutions

Data Managers must ensure that where the requirement of confidentiality is
high the information is not permitted to pass beyond the secure environment,
eg by forbidding the use of email to transmit information or by prohibiting
anyone outside the specified University premises (whether or not they have a
VPN connection to the network) to access the data.

Line managers must ensure that their staff understand the security
implications of printing, email and removable storage media. In particular
any backup arrangements that involve a copy on removable storage media
must take account of the need for physical security of these media, both in
transit and in storage.

Line managers must ensure that their staff know when it is permissible to
access data over a VPN connection, or take data off-site on removable storage
media

Line managers must ensure that their staff understand and comply with
restrictions imposed by data managers

Users must ask their line managers and/or the managers of the data whether
it is permissible to move or copy data from the secure environment, and if so
what security procedures should be followed
Exceptional requirements
IT Services is committed to maintaining the network at a level of security which,
provided other parties fulfil their responsibilities, will provide sufficient safeguards
for the general work of the University, including the manipulation of personal
information. However there are some cases where a higher level of security is
required. This includes highly sensitive personal or business information owned by
the University and data provided by third-parties on the condition that a higher level
of security is imposed.
In such cases the data should not be held at all on a computer that is networked.
Emphasis should be placed on tight physical security for the computer used for
processing and for the removable media used for transporting the data. Once the
processing is complete and, if necessary, the data has been transferred back to
removable media, the computer’s hard disk should be securely erased before the
computer is used for other purposes.
4
Related documents
TITLE: Removable Storage Devices policy (RSD)
TITLE: Removable Storage Devices policy (RSD)
Name________________________ Student I.D.___________________ Math 1210-1 Quiz 2
Name________________________ Student I.D.___________________ Math 1210-1 Quiz 2
Math 1210 Quiz 3 January 24th, 2014
Math 1210 Quiz 3 January 24th, 2014
Department Records Management Training
Department Records Management Training
Assignment 1TB - Introduction to Basic Computer Terminology
Assignment 1TB - Introduction to Basic Computer Terminology
GE and GelaSkins Launches Custom Wrap Accessories for WattStation Car... New, More Affordable GE WattStation Design Unveiled
GE and GelaSkins Launches Custom Wrap Accessories for WattStation Car... New, More Affordable GE WattStation Design Unveiled
Download
advertisement