UNIVERSITY of GLASGOW

IT Services
Home > Services A-Z > IT Services > Regulations, committees and policies > Security policies > Information Security Management System scope

Information Security Management System scope

The University is a research-led education institution established in 1451 by Papal Bull and governed by the University Court. It is physically based on two main campuses at Gilmorehill and Garscube Estate, with other facilities located in and near Glasgow, Scotland. University property locations are briefly shown below. All locations are subject to the Information Security policy. The University is a large enterprise, with revenues in excess of £250M per year, and with around 5,000 employees and 18,000 students. There are around 10,000 computers attached to the University network, which is a very high performance optical fibre based network. The University is the lead organisation in ClydeNET, and as such is responsible for connecting 28 other Universities, HEIs and FECs in the South and West of Scotland to the SuperJANET backbone network.

The University's primary business is education and research. Education provides <50% of income. Most students are in full time attendance at campuses at Glasgow and Crichton near Dumfries. A relatively small number are part time (compared with some Universities), and there are a small number of Distance Education courses, mainly paper-based but increasingly moving to digital delivery. Some students operate off campus, for example many medical students spend significant parts of their time at NHS facilities, and many Education students spend significant time in schools. There are a large number of Adult and Continuing Education courses and students, but the latter translate into only a few FTEs.

The majority of income comes from research; at any one time many hundreds of research projects are active, funded from a wide variety of sources including Research Councils, charities and other bodies. A relatively small proportion of research is based on contracts preventing public disclosure of the results. However, knowledge transfer through commercialisation is a growing area of activity, involving spin-offs, start-up companies, and licensing of IPR.

The scope of this security policy includes all resource units, faculties and departments of the University, including externally funded research units. Every computer on University premises or attached to the University's Intranet (whether through a wired or wireless connection) is within the scope.

Every person studying, researching, working or on business at or with the University, whether student, staff member (temporary, permanent, honorary or visiting), contractor or visitor is within the scope.

Information assets of the University are extremely diverse. Interpreting the term broadly (as BS 7799 implies), these assets include:

  • The physical estate as far as it impinges on other information assets (this would include those parts of the estate that provide security to information assets, for example)
  • Campus infrastructure including power and telecommunications equipment, but including infrastructure such as heat, light, water etc as far as it impinges on other information assets
  • Staff, including those on fees payroll who support education and research, or carry out key roles in relation to information assets
  • Non-digital information handling systems, such as the post room, confidential waste disposal, etc
  • Computer systems, both client/terminal systems and server systems, as well as computers that form part of other equipment or the infrastructure itself
  • Computer software, including public domain software, but particularly that licensed from external bodies or created and managed by the University, especially where it contains valuable IPR or is involved in protecting information assets
  • Books, journals, maps, manuscripts, images, sound and video resources, reference and database materials for education and research held in the
  • University Library (note, these are subject to existing mechanisms), faculties and departments
  • Artistic and cultural objects held in the Hunterian Museum and Gallery (note, these are subject to existing mechanisms), in faculties and departments
  • Archives and records held in the University Archives (note, these are subject to existing mechanisms), in faculties and departments
  • Published and un-published works, drafts, essays, assignments, exams, programs, artistic and musical works and databases held by staff and students
  • Administrative data including personal data and sensitive personal data held on central computer server systems, in faculties and departments and on client systems.


Locations covered by this policy include

  • Gilmorehill campus, including the St Andrews Building and other peripheral buildings
  • Garscube campus including Wolfson Hall and Conference Centre, and University facilities at the Science Park
  • Crichton Campus near Dumfries
  • Research Centres and other facilities including Cochno, Rowardennan, Millport and East Kilbride
  • University parts of joint departments and centres with other institutions (eg NAME)
  • University equipment held off campus, eg in private homes or in transit
  • Any University-funded clusters in Halls of Residence, even if transferred.

The aim of the Information Security Management System is to provide stakeholders assured access to the information assets within the terms of the Information Security Policy.