UML LIMITED InformationSecurity Policy 1 Introduction 1.1 UML Limited recognises that Information is fundamental toits effective operation and its one of its most important business asset. Thepurpose of this Information Security Policy is to ensure that the informationmanaged by the UML is appropriately secured in order to protect against thepossible consequences of breaches of confidentiality, failures of integrity orinterruptions to the availability of that information. Failure to adequatelysecure information increases the risk of financial and reputational loss to theorganisation. 1.2 Information security is defined as the preservation of: • Confidentiality (protecting information fromunauthorised access and disclosure) • Integrity (safeguarding the accuracy andcompleteness of information) • Availability (ensuring that information andassociated services are available to authorised users when required) 2 Purpose The objectives of this policy areto: 2.1 Ensure that all information andinformation systems within UML are protected to the appropriate level.
2.2 Ensure that all users are aware of andcomply with this policy including sub-policies and all current and relevant UKand EU legislation. 2.3 Provide a safe and secure informationsystems environment for staff and any other authorised users. 2.4 Ensure that all users understand theirown responsibilities for protecting the confidentiality and integrity of thedata that they handle. 2.5 Protect UML from liability or damagethrough the misuse of information or information systems.
2.6 Ensure that information is disposed ofin an appropriately secure manner when it is no longer relevant or required. 3 Scope 3.1 The Information Security Policy appliesto information in all its forms, collectively termed ‘information assets’within this document. It covers information in paper form, storedelectronically or on other media, information transmitted by post, by electronicmeans and by oral communication, including telephone and voicemail.
It includestext, pictures, audio and video. It applies throughout the lifecycle of theinformation from creation through storage and utilisation to disposal.Appropriate protection is required for all forms of information to ensurebusiness continuity and to avoid breaches of the law and statutory, regulatoryor contractual obligations. 3.2 This policy applies to all staff,students and other members of UML and third parties who interact withinformation held by UML and the information systems used to store and processit, collectively termed ‘users’ throughout this document. 4 Information Security Principles The following principles underpin this policy: 4.
1 Information will be protected in line with all relevant organisationpolicies and legislation. 4.2 It is the responsibility of allindividuals to be mindful of the need for information security across UML andto be aware of and comply with this policy including sub-policies and allcurrent and relevant UK and EU legislation. 4.3 Each information asset will have anominated owner who will be assigned responsibility for defining theappropriate uses of the asset and ensuring that appropriate security measuresare in place to protect the asset.
4.4 All information will be classified according to a level of risk asstated in information classification below.4.5 Information will be made available solely to those who have alegitimate need for access. 4.6 It is the responsibility of allindividuals who have been granted access to information to handle itappropriately in accordance with its classification. 4.
7 The integrity of information will be maintained. 4.8 Information will be protected against unauthorised access. 5 Information Classification The following table provides a summary of the risk basedinformation classification levels that have been adopted by UML. Classification Level Description Examples High Loss, misuse or unauthorised access to this data could result in significant financial loss, reputational loss and litigation. Student data Staff data Financial data Graduates and alumni Customers and clients Medium Loss, misuse or unauthorised access could result in reputational loss and litigation. Teaching data Research data Estates data Governance records Low Loss, misuse or unauthorised access could result in reputational loss. Management information Collections data Public facing content 6 Legal and Regulatory Obligations The use of information is governed by a number of differentActs of Parliament.
All users have an obligation to comply with currentrelevant legislation which includes, but is not limited to: • Computer Misuse Act (1990) • The Data Protection Act (1998) • Freedom of Information Act (2000) • Copyright, Designs and Patents Act (1988) • Regulation of Investigatory Powers Act (2000) • Human Rights Act (2000) • Electronic Communications Act (2000) • Digital Economy Act (2010) • Obscene Publications Act (1959 & 1964) • Counter-Terrorism and Security Act (2015) 7 Breaches of Security 7.1 Any individual suspecting that thesecurity of a computer system has been, or is likely to be, breached shouldinform the IT Service Desk immediately. They will advise on what steps shouldbe taken to avoid incidents or minimize their impact, and identify action plansto reduce the likelihood of recurrence. 7.2 In the event of a suspected or actualbreach of information security, IT Security, with or without consultation withthe relevant department, may require that any systems suspected of beingcompromised are made inaccessible.
7.3 Where a breach of security involvingeither computer or paper records relates to personal information, UML DataProtection Officer must be informed, as there may be an infringement of theData Protection Act 1998. 7.4 All physical security breaches should be reported to UML’sSecurity Office. 8 Policy Awareness and disciplinary procedure 8.1 This policy will be provided to all newand existing staff, students and members of UML.
All other users of UML’sinformation systems will be advised of the existence of this policy, which willbe made available on UML website. 8.2 All users are requiredto familiarise themselves with this policy and comply with its requirements.
8.3 Failure of an individual student ormember of staff to comply with this policy may lead to the instigation ofdisciplinary procedures up to and including dismissal and, in certaincircumstances, legal action may be taken. Failure of other users to comply maylead to revocation of access, the cancellation of a contract and, in certaincircumstances, legal action. UML may refer the user to the police where itreasonably believes a crime has been committed and will co-operate fully withany police investigations.
9 Governance 9.1 Responsibility for the production,maintenance and communication of this top-level policy document and allsub-policy documents lies with UML’s IT Security Manager. 9.2 This top-level policy document has beenapproved by the Information Technology Governance Group (ITGG). Substantivechanges may only be made with the further approval of this group.
Responsibilities for the approval of all sub-policy documents is delegated tothe Information Security Group (ISG). Before approving any sub-policy the ISGwill consult with the ITGG, where necessary. 9.3 Each of the documents constituting theInformation Security Policy will be reviewed annually.
It is the responsibilityof the IT Security Manager to ensure that these reviews take place. It isalso the responsibility of the IT Security Manager to ensure that the policyset is and remains internally consistent. 9.4 Changes or additions to the InformationSecurity Policy may be proposed by any member of the department to the ITSecurity Manager. 9.
5 Any substantive changes made to any ofthe documents in the set will be communicated to all relevant personnel. 10 Policy Set The complete Information Security Policy document setcomprises of: Policy Name ID Status Information Security Policy ISP01 Live Acceptable Use ISP02 Live Business Continuity ISP03 In progress – due June 2017 Disaster Recovery ISP04 In progress – due July 2017 Incident Management ISP05 In progress – due August 2017 User Account Management ISP-006 TBC Mobile Device ISP-007 TBC Network Configuration ISP-008 TBC Physical Security ISP-009 TBC Application Security ISP-010 TBC System Configuration & Maintenance ISP-011 TBC Penetration Testing ISP-012 Live 11 Associated Policies and Documents The following University of London policies support andprovide additional context to this policy: • Data Protection Policy • Freedom of Information Policy • Data Classification Policy • Records Management Policy • Risk Management Policy • Social Media Policy • Research Data Management Policy