Information Security Policy

This policy sets out the framework for all University Of Wolverhampton Information Security practices.

Updated May 2021

Approved by the University's Corporate Management Team

1. INTRODUCTION 

1.  University of Wolverhampton’s computer and information systems underpin all University of Wolverhampton’s activities, and are essential to ensure the university provides ahigh quality student experience, pursues academic excellence, scholarship and enhances the employability of our students through supporting collaborative, innovative and enterprising delivery of all programmes.  

1.2.  The University of Wolverhampton is internationally orientated, strengthening links with the global community and strengthening partnerships, both within the UK and externally, in order to provide a process for an effective two-way knowledge, opportunity and innovation exchange between partners.  

1.3.  The University of Wolverhampton recognises the need for its members, employees and visitors to have access to the information they require in order to carry out their work and recognises the role of information security in enabling this requirement.

1.4.  Security of information must therefore be an integral part of the University of Wolverhampton’s management structure in order to maintain continuity of its business, legal compliance and adhere to the University’s own regulations and policies.

1.5.  The University will operate in a manner where security of information is balanced with appropriate information accessibility; providing the optimum level of risk management to support the University’s strategic goal of being a University of Opportunity which maintains strong global and international partnership links.

2. PURPOSE

2.1. This information security policy defines the framework within which information security will be managed across the University of Wolverhampton and demonstrates management commitment to meeting the strategic direction and support requirements for information security throughout the University of Wolverhampton. This policy is the primary policy under which all other technical and security related polices reside. (Appendix 1).

3. SCOPE

3.1.  This policy is applicable to and will be communicated to all staff, students and other relevant parties including governors, employees, visitors and contractors.

3.2.  It covers, but is not limited to, any systems or data attached to the University of Wolverhampton’s computer or telephone networks, any systems supplied by the University of Wolverhampton, any communications sent to or from the University of Wolverhampton and any data which is owned either by the University or held on systems external to the University of Wolverhampton's network.

4ORGANISATION OF INFORMATION SECURITY

4.1.  The University's Information Security lead officer, for the organisation, is ultimately responsible for the maintenance of this policy and for compliance within the University of Wolverhampton. This policy has been approved by University of Wolverhampton Corporate Management Team and forms part of its policies and procedures. 

4.2.  The Corporate Management Team are responsible for reviewing this policy on an annual basis. They will provide clear direction, visible support and promote information security through appropriate commitment and adequate resourcing to achieve the objectives of this policy. 

4.3.  The Head of Information Security is responsible for the management of information security and, specifically, to provide advice and guidance on the implementation of this policy.  

4.4.  The Information and Data Quality Committee comprising representatives from all relevant sections of the University is responsible for identifying and assessing security requirements and risks.  

4.5.  It is the responsibility of all line managers to implement this policy within their area of responsibility and to ensure that all staff for which they are responsible are: 

  • Made fully aware of the policy. 
  • Given appropriate support and resources to comply.  
  • Receive adequate training to ensure regulatory and legislative compliance is achieved.  

4.6.  Each Faculty and business department will appoint a responsible named individual known as the Information Risk Owner for their business area. This role will be responsible for information security to devolved departments, ensuring compliance with information security policy and be the initial data manager responsible for data breach containment and breach reporting to the Data Protection Officer for assessment.  

4.7.  The Information Risk Officer will be responsible for assisting with information risk assessments as required by the ISMS Forum and for compiling an Information Asset Register for their area of responsibility.

4.8.  It is the responsibility of each member of staff to adhere to this policy. 

5. POLICY STATEMENT  

5.1. The University of Wolverhampton is committed to protecting the security of its information and information systems. It is also committed to a policy of education, training and awareness for information security and to ensuring the continued business of the University of Wolverhampton. It is the University of Wolverhampton's policy that the information it manages shall be appropriately secured to protect against breaches of confidentiality, failures of integrity or interruptions to the availability of that information and to ensure appropriate legal, regulatory and contractual compliance.

5.2.  To determine the appropriate level of security control that should be applied to information systems, a process of risk assessment shall be carried out in order to define security requirements and identify the probability and impact of security breaches. 

5.3.  Specialist advice on information security shall be made available throughout the University of Wolverhampton and advice can be sought via the University’sHead ofInformation Security and/or the Data Protection Officer.  

5.4.  It is the University of Wolverhampton’s policy to report all information or IT security incidents, or other suspected breaches of this policy. The Faculty or business unit will follow the University’s advice for the escalation and reporting of security incidents and data breaches that involve personal data which will subsequently be reported to the University’s Data Protection Officer for assessment and reporting, where applicable. Records of the number of security breaches and their type should be kept and reported on a regular basis to the Informationand Data QualityCommittee and Head of Information Security 

5.5.  Failure to comply with this policy that occurs as a result deliberate, malicious or negligent behaviour, may result in disciplinary action.

APPENDIX 1 - SUPPORTING POLICIES
1.1  Information Governance Policy Published
1.2 ICT Acceptable Use Policy  Published
1.3 Data Classification Guidance  Published
1.4 Terms and Conditions for an IT account  Published
1.5 Information Security Training for staff Published
1.6 Access to Staff/Student IT Account Policy Published
1.7 Freedom of Information (FOI) Publication Scheme  Published
1.8 Cloud Services Risk Assessment Policy  Published
1.9 Procedure for reporting an Information Security Incident  Published
1.10 Data Protection Policy  Published
1.11 Data Retention Policy  Published
1.12 Intellectual Property Policy  Published
1.13 Use of Cookies Policy  Published
1.14 Freedom of Information (FOI) Guidance  Published
1.15 Home Working / Remote Access Agreement and Guidelines  Published
1.16 Encryption Policy  Published
1.17 Information Security Workbook for Procurement of Software Services involving University data  Published
1.18 Local Administrative Account Policy  Published