UNIVERSITY of GLASGOW

IT Services
Home > Services A-Z > IT Services > Regulations, committees and policies > Security policies > Information System Security policy

Information Systems Security policy

Purpose

The University Court has legal and other responsibilities to its staff, students and other stakeholders to ensure the security of information assets that it uses and holds, and to ensure the University is not host to threats to the security of information assets elsewhere. Security of information includes the continued confidentiality, integrity and availability of that information. The purpose of this policy is to define the environment in which information will be protected from threats, whether internal or external, deliberate or accidental. Information exists in many forms, and the policy includes the protection of information stored electronically or on paper or in other forms, and in transit whether across the network or otherwise.

Environment

The University operates in an environment where openness and sharing are valued for many activities, although security is valued for many others. Support resources are over-stretched, but the University is IT-rich. The University will suffer potentially very significant loss of reputation, financial loss or legal penalty however, if its openness allows its IT resources to be used to mount attempted or successful security attacks on others or on its own resources.

The University's approach is that the freedom and openness must be balanced by care and responsibility.

Objectives

The objective of information security is to ensure business continuity and minimise damage by providing controls to mitigate risks and thereby prevent or reduce the impact of security incidents.

We are all familiar with the need for security in many aspects of our life, and we all have information which we need to have protected. At the same time we all want to work in an open, free environment. Trade-offs between these objectives are required. The University is required to meet its legal, contractual and other obligations. Therefore the security policy for the University is that

the security (ie confidentiality, availability and integrity) of confidential or important information must be assured, while
the University will provide as open an academic environment as possible, free of all unnecessary controls, to reduce work barriers for staff and the cost of support.
The priorities will always be in the order shown, but the relative importance of the two objectives will vary with the application domain. Nevertheless, the requirement for the first priority means that the security of the network is paramount.

To achieve this requires acceptance by University management and the whole University, of a documented Information Security Management System (ISMS) based on a documented understanding of the risks involved. The scope of the ISMS is documented in the Information Security Management System Scope.

Compliance with the ISMS will help ensure:

  • Protection of confidential information including personal data against unauthorised access.
  • Integrity of information.
  • Availability of information to authorised users when needed.
  • Compliance with regulatory requirements.
  • Use of University information assets by and for University identified staff and students.
  • Business continuity plans.
  • Availability of information security training.
  • Monitoring and records of security breaches (actual or suspected).

The approach taken is based on BS 7799-2:2002, but the University will not at this stage attempt to register as compliant with that standard, due to the resources that would be required to do so.

This Information Systems Security Policy, when approved by Court, empowers Information Policy and Strategy Committee (IPSC) to approve detailed standards, policies, procedures and regulations to support this policy. An initial set of detailed policies is provided with this policy at [link].

Staff and students who choose not to comply with University regulations and policies in this area will be subject to the University disciplinary policy.

The Secretary of Court has primary responsibility for this policy, and the Director of Information Services is responsible for providing advice to the Secretary of Court and to University Management, and guidance on and support for policy implementation across the University. All Deans, managers and heads of department are responsible for implementing the detailed policies and procedures in their own business areas. Each staff member and student has the responsibility to adhere to such policies and procedures as apply to them. Breaches of this policy and of information security may result in disciplinary action.