Go to the Students section
Go to the Staff section
Go to the Alumni section
Go to the Study here section
Go to the International section
Go to the About section
Go to the Research section
Go to the Business and Employers section
Go to the Support us section
ISO 27001 is well underway...a two year project to securely and efficiently organise the University’s information.Information is a valuable asset for the University, so the way we organise it and manage its security is a high priority. The Information Management team are halfway through this two year project to achieve the globally recognised certification ISO 27001 - a series of standards that help to identify any risks to your information and to put in place appropriate controls to help reduce this risk.
ISO 27001 is well underway...a two year project to securely and efficiently organise the University’s information.
Oxford Brookes University recognises that information and its associated processes, systems and networks are valuable assets and that the management of personal data has important implications for individuals. Through its security policies, procedures and structures, the University will facilitate the secure and uninterrupted flow of information, both within the University and in external communications. The University believes that security is an integral part of the information sharing which is essential to academic and corporate endeavour.
The University also believes that information security is the responsibility of all students and members of staff. Every person handling information or using University information systems is expected to observe the information security policies and procedures, both during and, where appropriate, after his or her time at the University.
The policies and procedures in this section are intended to be used as working documents so please check from time to time to see if they have been updated. If you cannot find the policy or procedure you are looking for please contact the information compliance team for guidance at email@example.com.
1. Policy Objectives
1.1 The principal aims of this policy are to secure the University’s compliance with its legal obligations, as an internet service provider, as a licensee and as a publisher, and to protect the value and integrity of the digital information held within or accessed through the University’s IT facilities.
1.2 A further purpose of this policy is to provide authorised users of the University IT with a safe and acceptable working environment. The University does not intend to obstruct or limit the use of information without reason but makes rules to establish and maintain good practice and to deliver its policy objectives; this is done for the benefit of the University community as a whole.
1.3 The University possesses and uses computer systems, networks and allied hardware and other peripherals as an integral and pervasive part of its operations. In addition to protecting the considerable investment that the University has made to secure these facilities, the University’s ability to function and its good reputation depends on the efficient and full operation of its IT capability; the security and preservation of the University systems and of its digital data are of paramount importance. This policy is part of the governance framework which provides rules for managing the risks arising from complex systems and a large number of users.
The policy applies to Governors, staff, students and other users authorised by the University and taking legitimate access to the University’s systems. Examples of such authorised users include visiting academics, consultants whose work for the University requires access to the University’s systems, representatives of suppliers engaged in work under their employer’s contract with the University and associate staff engaged with the University’s higher education or research functions.
3. Provision of service and basic service rules for the use of University IT including confidentiality
3.1 The University provides IT facilities primarily for academic reasons and for the conduct of legitimate University business, not for the purposes of entertainment, shopping or other private use.
3.2 Users must treat information that they access or see via the University’s IT systems as confidential, unless the information is clearly intended to be public or disclosable in the context in which it is made available.
3.3 Users must contact the University’s IT Services for any change or modification to hardware and software; any such change should be made only by authorised members of the University’s staff.
3.4 Users are required to respect the legitimate access to the IT facilities by other users and must not obstruct this or remove or interfere with output created by any other user.
3.5 Users must be considerate when using the University’s IT facilities, including keeping noise to a minimum and keeping behaviour to that appropriate to an academic or business setting; in other words, conduct should be quiet and orderly.
3.6 Although the University’s IT facilities are provided primarily for legitimate academic and business purposes, the University permits limited personal use of email and of the internet subject to the rules set out in this policy and provided that such use does not conflict with the University’s interests, such as the proper performance by staff of their work for the University.
3.7 Access to another person’s emails will only be granted with the explicit consent of the University’s Chief Information Officer or Chief Operating Officer.
3.8 The ownership of material created via the University’s IT facilities is treated in accordance with the University’s Intellectual Property Policy (see www.brookes.ac.uk/research/policies-and-codes-of-practice)
3.9 Staff users are restricted in their access to the University’s staff-only information systems. Each staff user is granted initial data access as determined by their line manager. Additional access, as required by staff users on a case by case basis, will be subject to the University’s Access Control Policy.
4. Prohibitions and restrictions
Password and identity integrity
4.1 Revealing any account password (or associated secret authentication information) to others or allowing use by another person, including family and other household members.
4.2 Circumventing user authentication or security of any host, network service or account.
4.3 Impersonating another user.
Hacking and similar misuse
4.4 Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's network session, via any means, locally or via the Internet/Intranet/Extranet.
4.5 Gaining unauthorized access to, or intentionally damaging, other computer systems, network services or the information contained within them. This includes erasing, altering, corrupting or tampering with any information other than in the legitimate conduct either of University business for staff or for the proper furtherance of academic study for students.
4.6 Executing any form of network monitoring that will intercept data not intended for the user’s host.
4.7 Port scanning or security scanning unless being conducted by authorized members of the University’s IT Services (or third parties specifically authorized by IT Services.)
4.8 Introducing malicious programs into the network or server (e.g viruses, worms, Trojan horses, email bombs etc.)
4.9 Effecting security breaches or disruptions of network communication. Examples of security breaches are accessing data of which the user is not an intended recipient or logging into a server or account that the user is not expressly authorised to access. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
4.10 Any unlawful activity not otherwise covered. Examples of such unlawful activity include:
a) infringement of intellectual property rights including distributing or obtaining illegally copied software, media or other material
b) breaching another person’s privacy
c) harassment or bullying
e) sending unsolicited advertising or promotional material
f) conducting any corrupt practice
4.11 The creation, transmission, storage, downloading or display of any offensive, obscene, discriminatory (either on the grounds of sex, disability, colour, race, religion or belief, or sexual orientation), indecent, explicit or threatening data or other material (unless such access is necessary) for one or more of:
a) authorized research activity
b) investigatory or disciplinary process
d) co-operation with the Police, Prevent or other official enquiry.
Users should be aware that the University takes its responsibility under the Counter-Terrorism and Security Act 2015 extremely seriously including those requirements detailed in Section 29 of the Act and referred to as the "Prevent Duty". Consequently, users must not deliberately create, display, produce, store, circulate or transmit material related to terrorism or extremist ideology in any form or medium except where required for the purposes set out at 4.11 a) to d) above.
Confidentiality including email forwards
4.12 Disclosing any information about, or providing lists of, University staff or students to any party not employed by the University (unless in the course of legitimate University business or authorised by a member of the senior management of the University.)
4.13 Storing any confidential information on any system other than one provided by the University, unless formally approved by the University’s IT Services.
4.14 Sending any confidential information online by any means, without utilising appropriate, approved, security methods. Online communications may be subject to interception by persons outside the University and such interception may not be detectable or perceptible by the user. Any encryption software used should be provided by or approved by the University’s IT Services.
4.15 Using an automatic forwarding facility for email which takes email from a University account to an outside network unless, in the case of staff, this has been approved by an appropriate manager. Automatic email forwarding may result in the inadvertent transmission of sensitive information to external email accounts and users should therefore exercise utmost caution when sending any email from a University account to an outside network.
4.16 Private profit, except to any extent authorised in writing under a user’s conditions of employment or other express agreement with the University.
4.17 Connecting any unsecured, internet enable-able device to the University’s IT systems.
4.18 Failing to read or adhere to the terms and conditions of any licence agreements relating to the relevant IT facilities including software, equipment, consumables, services, databases, platforms, publications and goods.
5. Monitoring, breach and enforcement
5.1 Although the University respects and appreciates the value of personal privacy, its IT systems are provided for academic and business purposes and users should have no expectation of privacy when using the University’s IT facilities.
5.2 Any user becoming aware of any suspected, accidental, or intentional illegal action or misuse must report this immediately to the IT Service Desk or to an appropriate member of staff.
5.3 The University has the right to monitor all usage of the IT, communications and computer systems at any time and without notice. Examples of specific circumstances where the University may choose to monitor are:
to ensure the proper working of the systems or to assist troubleshooting
to ensure that all users comply with University policies, practices and procedures (including but not limited to this policy)
to investigate or detect the unauthorised use of Oxford Brookes University's systems.
5.4 The University may inspect, lock, block, scan, clone or remove any computer or drive or information at any time at its sole discretion.
5.5 Users should be aware that breach of these rules may constitute a criminal offence or result in disciplinary action under either the Student Conduct Regulations or the Staff Conditions of Service.
5.6 The University will cooperate with law enforcement authorities to prosecute offenders.
6. Related policies
Users accessing social media should refer to the Oxford Brookes University Social Media Guidelines (available at www.brookes.ac.uk/services/hr/handbook/terms_conditions/social_media_guidelines.html)
6.2 Users should also refer to these related policies:
a) security sensitive material ( www.brookes.ac.uk/research/policies-and-codes-of-practice)
b) information security incident management Policy (see policies below)
c) access control policy for staff (see policies below)
d) intellectual property policy ( www.brookes.ac.uk/research/policies-and-codes-of-practice
7. Change procedure and notice of changes
7.1 This policy shall be reviewed at least annually by the Chief Information Officer or his nominee, currently the Head of Information Management.
7.2 Where the Chief Information Officer considers that one or more material changes have been made to the policy, the policy shall be presented to the University’s Executive Board as a consultation document.
7.3 The Chief Information Officer is responsible for keeping the policy accessible to users and for bringing changes of significance to the attention of users by whatever means he thinks appropriate.
7.4 Changes to this policy are authorized with immediate effect by the Chief Operating Officer on the advice of the Chief Information Officer whether at a meeting of the University’s Executive Board or otherwise.
A key feature of GDPR is transparency, and privacy notices are the principle way of delivering this, letting individuals know what personal information Oxford Brookes collects and why, who we may share it with and what your rights under the legislation are.
Personal data is any information that can be used to identify a single, living individual, whether it relates to private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
Student Privacy Notice
Staff Privacy Notice
Download a pdf version
Oxford Brookes University recognises that information and the associated processes, systems and networks are valuable assets and that the management of personal data has important implications for individuals. Through its security policies, procedures and structures, the University will facilitate the secure and uninterrupted flow of information, both within the University and in external communications. The University believes that security is an integral part of the information sharing which is essential to academic and corporate endeavour and this Policy is intended to support information security measures throughout the University.
2.1 For the purposes of this document, information security is defined as the preservation of:
2.2 Information exists in many forms. It may be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations.
The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. When handling such information, the University, and all staff or others who process or use any personal information, must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the 1998 Act). Responsibilities under the 1998 Act are set out in the Data Protection Policy.
4.1 The University believes that information security is the responsibility of all students and members of staff. Every person handling information or using University information systems is expected to observe the information security policies and procedures, both during and, where appropriate, after his or her time at the University.
4.2 This Policy is the responsibility of the Executive Board; supervision of the Policy will be undertaken by the Senior Management Team. This policy may be supplemented by more detailed interpretation for specific sites, systems and services (see relevant policies and regulations). Implementation of information security policy is managed through the Information Security Working Group which reports to the Chief Information Officer.
4.3 The University’s IT Services directorate has operational responsibility for the University’s IT systems and will therefore take action wherever necessary to protect those systems.
The University recognises the need for all staff, students and other users of University systems to be aware of information security threats and concerns, and to be equipped to support University security policy in the course of their normal work. The Information Compliance team has implemented a training programme in data protection for all members of staff who process personal data and, at the behest of the University's Faculties and Directorates, will provide or arrange the provision of training in information security matters to answer particular requirements.
6.1 Authorised Use: University IT facilities must only be used for authorised purposes. The University may from time to time monitor or investigate usage of IT facilities; and any person found using IT facilities or systems for unauthorised purposes, or without authorised access, may be subject to disciplinary, and where appropriate, legal proceedings.
6.2 Monitoring of Operational Logs: The University shall only permit the inspection and monitoring of operational logs by the appropriate staff from the University’s IT Services directorate or where it has been otherwise authorised. Disclosure of information from such logs, to officers of the law or to support disciplinary proceedings, shall only occur (i) when required by or consistent with law; (ii) when there is reason to believe that a violation of law or of a University policy has taken place; or (iii) when there are compelling circumstances (circumstances where failure to act may result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of University policies).
6.3 Access to University Records: In general, the privacy of users' files will be respected but the University reserves the right to examine systems, directories, files and their contents, to ensure compliance with the law and with University policies and regulations, and to determine which records are essential for the University to function administratively or to meet its teaching obligations. Except in emergency circumstances, authorisation for access must be obtained from the Chief Information Officer or the Chief Information Officer’s nominee, and shall be limited to the least perusal of contents and the least action necessary to resolve the situation.
6.4 Protection of Software: To ensure that all software and licensed products used within the University comply with the Copyright, Designs and Patents Act 1988 and subsequent Acts, the University may carry out checks from time to time to ensure that only authorised products are being used. Unauthorised copying of software or use of unauthorised products by staff or students may be grounds for disciplinary, and where appropriate, legal proceedings.
6.5 Virus Control: The University will maintain detection and prevention controls to protect against malicious software and unauthorised external access to networks and systems. All users of electronic devices issued by the University or used for University business shall comply with best practice, as determined from time to time by the University’s IT Services, in order to ensure that up-to-date virus protection is maintained.
All University information assets (data, software, computer and communications equipment) shall be accounted for and have a designated owner. The owner shall be responsible for the maintenance and the protection of the asset/s concerned.
Physical security and environmental conditions must be commensurate with the risks to the area concerned. In particular, critical or sensitive information processing facilities must be housed in secure areas protected by defined security perimeters with appropriate security barriers and/or entry controls.
9.1 Information security risks must be identified at the earliest stage in the development of business requirements for new information systems or enhancements to existing information systems.
9.2 Controls to mitigate the risks must be identified and implemented where appropriate.
10.1 Access to information and information systems must be driven by business requirements and be commensurate and proportionate to the business need.
10.2 A formal access control procedure shall be required for access to all information systems and services.
Responsibilities and procedures for the management, operation and ongoing security and availability of all data and information processing facilities must be established.
All staff have a responsibility to consider security when disposing of information in the course of their work. Owners of information assets should establish procedures appropriate to the information held and processed and ensure that all staff are aware of those procedures. Retention periods should be set in consultation with the University Records Manager.
All staff, students and other users should report immediately via the Servicedesk portal https://service.brookes.ac.uk, or by telephone to the Service Desk on tel. ext. 3311, any observed or suspected security incidents where a breach of the University's security policies has or may have occurred, and any security weaknesses in, or threats to, systems or services.
The University will implement, and regularly update, a business continuity management process to counteract interruptions to normal University activity and to protect critical processes from the effects of failures or damage to vital services or facilities. A copy of the Oxford Brookes Business Continuity Policy can be found on the Business Continuity page.
1.1 The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. When handling such information, the University, and all staff or others who process or use any personal information, must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the Act).
In summary these state that personal data shall:
"Staff", "students" and "other data subjects" may include past, present and potential members of those groups.
"Other data subjects" and "third parties" may include contractors, suppliers, contacts, referees, friends or family members.
"Processing" refers to any action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information.
2.1 The University shall notify all staff and students and other relevant data subjects of the types of data held and processed by the University concerning them, and the reasons for which it is processed. The information which is currently held by the University and the purposes for which it is processed are set out in the Appendix 1 to this Policy. When processing for a new or different purpose is introduced the individuals affected by that change will be informed and the Appendix 1 will
3.1 All staff shall • ensure that all personal information which they provide to the University in connection with their employment is accurate and up-to-date; • inform the University of any changes to information, for example, changes of address; • check the information which the University shall make available from time to time, in written or automated form, and inform the University of any errors or, where appropriate, follow procedures for updating entries on computer forms. The University
shall not be held responsible for errors of which it has not been informed.
3.2 When staff hold or process information about students, colleagues or other data subjects (for example, students' course work, pastoral files, references to other academic institutions, or details of personal circumstances), they should comply with the Data Protection Guidelines for Academic Staff.
3.3 Staff shall ensure that
3.4 When staff supervise students doing work which involves the processing of personal information, they must ensure that those students are aware of the Data Protection Principles, in particular, the requirement to obtain the data subject's consent where appropriate.
4.1 All students shall
The University shall not be held responsible for errors of which it has not been informed.
4.2 Students who use the University computer facilities may, from time to time, process personal information (for example, in course work or research). In those circumstances, they must notify their course tutor or research supervisor in the relevant Faculty who will provide further information about their responsibilities in processing personal data.
5.1 Staff, students and other data subjects in the University have the right to access any personal data that is being kept about them either on computer or in structured and accessible manual files. Any person may exercise this right by submitting a request in writing to the Information Compliance Officer.
5.2 The University will make a charge of £10 for each official Subject Access Request, except for requests involving Health Records where the University may charge up to £50 for each request if those records are held either wholly or partly in non-electronic form.
5.3 The University aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days unless there is good reason for delay. In such cases, the reason for the delay will be explained in writing by the Information Compliance Officer to the data subject making the request.
6.1 In some cases, such as the handling of sensitive information or the processing of research data, the University is entitled to process personal data only with the consent of the individual. Agreement to the University processing some specified classes of personal data is a condition of acceptance of a student on to any course, and a condition of employment for staff. (See Appendix 1)
7.1 The University may process sensitive information about a person's health, disabilities, criminal convictions, race or ethnic origin, or trade union membership. For example, some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18, and the University has a duty under the Children Act 1989 and other enactments to ensure that staff are suitable for the job, and students for the courses offered. The University may
also require such information for the administration of the sick pay policy, the absence policy or the equal opportunities policy, or for academic assessment.
7.2 The University also asks for information about particular health needs, such as allergies to particular forms of medication, or conditions such as asthma or diabetes. The University will only use such information to protect the health and safety of the individual, for example, in the event of a medical emergency.
8.1 The University is the data controller under the Act, and the Vice Chancellor is ultimately responsible for implementation. Responsibility for day-to-day matters will be delegated to the Heads of Faculties and Directors as designated data controllers. Information and advice about the holding and processing of personal information is available from the University's Information Compliance Officer.
9.1 Students shall be entitled to information about their marks for assessments, however this may take longer than other information to provide. The University may withhold enrolment, awards, certificates, accreditation or references in the event that monies are due to the University.
10.1 The University will keep different types of information for differing lengths of time, depending on legal, academic and operational requirements. Information and advice about the recommended retention times are available from the University Records Manager.
11.1 Compliance with the Act is the responsibility of all students and members of staff. Any deliberate or reckless breach of this Policy may lead to disciplinary, and where appropriate, legal proceedings. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Information Compliance Officer by telephone on extension 4354 or by e-mail at firstname.lastname@example.org.
11.2 Any individual, who considers that the policy has not been followed in respect of personal data about him- or herself, should raise the matter with the designated data controller initially. If the matter is not resolved it should be referred to the University Information Compliance Officer and may be pursued through the staff grievance or student complaints procedure.
The University has notified the Information Commissioner that personal information may need to be processed for the following purposes:
The Public Register of Data Controllers on the Information Commissioner's website contains full details of the University's current registration. The register entry provides:
For further information about these regulations, please contact the Information Compliance Officer.
By default the University grants colleagues administrator logon rights on new Windows and Mac-based computers. If you have an existing device and would like to request a local administrator account, please do so using this form. These rights allow you to:
modify system settings
manage other users of the device.
It is important that when using your local administrator account, you adhere to the following guidelines to protect the University’s systems, devices and network:
change your portal password every 90 days, ensuring that it is a strong password of at least 12 characters.
maintain the integrity of your workstation by not taking excessive risk by installing software from the internet
always work whilst logged into your standard, non-administrative user account and only use the local administrator account to elevate privileges at the time when you need them
routinely check that your anti-virus software is updating, checking for and eliminating spyware, or any similar data gathering and reporting software, from your workstations
do not share your local administrator account details with others
report any system failures and security issues to IT Services at the earliest opportunity
keep up-to-date with, and adhere to, all IT policies including, but not limited to, the IT Acceptable Use Policy
do not interfere with any automatic updating/patching or enforced policies or services performed or provided by IT Services.
The University recognises that by giving colleagues administrative rights and enabling you to manage your workstations, productivity and operational efficiency can be substantially increased. However, Administrator access to a computer can lead to unintended and unauthorised configurations that may cause both you and the IT support service difficulties operationally and potentially legally.
All University-owned devices that have access to the network, either wired or wireless, are required to be configured to the following standards:
the device must be a member of a recognised university domain or management system
the device must have the current required management software installed including, but not limited to, power management, software compliance toolsets, configuration management toolsets. (Management software may vary by device type)
the device must have active, current and correctly configured anti-virus software
the device must be patched with operating system and third party vendor patches to a level required by IT Services.
Any customisation of a device to a configuration other than that provided or supported by IT Services will be lost in the event of a computer failure. Its restoration will be to a standard pre-customisation configuration.
The University reserves the right to restore a machine to a standard configuration if that machine is found to be a security risk. In such cases the University will not be responsible for any resultant data losses.
The University reserves the right to decline requests for administrator rights on any device for which access must be restricted due to its function, location or use by multiple users.
Misuse of administrator rights is defined as, but not limited to:
downloading software that is malicious, by intent or otherwise
downloading unlicensed/illegal software
downloading and/or distributing copyrighted material without permission
permitting public, or unauthorised, access to data that is restricted in nature
failure to adhere to the policies and procedures outlined above.
1.1 To define the requirements of Oxford Brookes University (OBU) to ensure that access to information assets is authorised and subject to identification and authentication controls
1.2 To establish the requirements for controlling access to OBU information or information that it is responsible for, including computing and physical resources. Computer systems, networks and allied hardware and other peripherals are an integral part of our operations and represent substantial investment.
1.3 It is the purpose of the Access Control Policy to ensure that all access to information assets is properly authorised, maintained and reviewed.
2.1 This Access Control Policy shall apply to all access to OBU's information assets.
2.2 All Users provided with access to OBU's information systems shall comply with this Access Control Policy as indicated in the IT Acceptable Use Policy.
2.3 Access to physical and non-physical assets will be governed under the same principles.
2.4 This Access Control Policy shall establish the Logical and Physical Access control requirements for protecting the entire university's information systems and hardcopy data.
3.1 This Access Control Policy forms part of Oxford Brookes University’s information Security Management System (ISMS) Framework as defined in the information Security Policy.
3.2 This policy should be read in conjunction with OBU’s IT Acceptable Use Policy, which summarises what OBU deems to be acceptable use of information systems
3.4 OBU’s information systems are provided for business purposes only and this Access Control Policy is used to ensure that Users:
3.5 Access allocation shall be monitored to ensure compliance with this Access Control Policy.
3.6 All Users, who use the university's information assets and information systems, shall be responsible for safeguarding those resources and the information the information Owners hold, from disruption or destruction.
3.7 The Access Control Policy shall apply to all Users who have access to the university's information assets, including remote access.
3.8 Failure to comply may result in the offending employee being subject to disciplinary action up to and including termination of employment as per the Information Security Policy.
3.9 The use of the university's information assets and information systems indicates acceptance of this Access Control Policy.
4.1 Oxford Brookes University IT Services shall ensure that Users are provided with education and training to ensure compliance with this Access Control Policy.
4.2 Oxford Brookes University IT Services shall develop, maintain and publish standards, processes, procedures and guidelines to achieve compliance with this Access Control Policy.
4.3 Annually review the Access Control processes, standards and procedures, to achieve compliance with this Access Control Policy and shall support the Access Control Strategy and provide security specific input and guidance where required.
4.4 IT asset owners and authorised users shall be assigned for each identified IT asset in order to approve or reject requests for access to their system.
4.5 IT asset owners and authorised users shall check the validity of all user access requests to information assets owned by them before implementation.
4.6 IT asset owners and authorised users shall authorise employees requiring access to information assets owned by them.
4.7 Human Resources (HR) shall inform the IT department of users starting, moving and leaving the university.
4.8 All appropriate managers shall authorise any requirement to changes to user's access rights on the information systems.
4.9 Users shall not share access codes and/or passwords, if access to other information systems are required then a formal request shall be put forward for authorisation by an appropriate manager.
4.10 Users shall not share their physical access cards; if physical access to restricted areas is required then a formal request shall be put forward for authorisation by the line manager.
4.11 Users shall be responsible for the security (and secrecy) of their own secret authentication information. In no circumstances is secret authentication information to be shared.
4.12 Users shall ensure incidents are reported and escalated in-line with documented Information Security Incident Management Procedure.
4.13 The University shall be responsible for ensuring all Users of OBU's information systems read and acknowledge the policy principles extracted from this Access Control Policy and included in the Acceptable Use Policy.
5.1 All information assets shall be "owned" by a named individual within OBU.
5.2 A process for user access requests, which mandates the steps to be taken when creating or modifying user access shall be defined, documented, annually reviewed and updated. The scope of this process must include network, application and database access and be applicable to any third party access.
5.3 Access to information assets shall be restricted to authorised employees and shall be protected by appropriate physical and logical authentication and authorisation controls.
5.4 Users shall be authenticated to information systems using accounts and passwords. See OBU’s Password Policy for further details.
5.5 Users are required to satisfy the necessary personal security criteria, as defined by OBUs Recruitment Policy, before they can be authorised to access information assets of a corresponding classification.
5.6 Users who have satisfied all necessary criteria may be granted access to information assets only on the basis that they have a specific need to know, or to "have-access-to", those information assets.
5.7 The classification of an information asset does not, in itself, define who is entitled to have access to that information. Access is further filtered by any applicable privacy restrictions as dictated by other OBU Policies (such as the Data Protection Policy)
5.8 Access privileges shall be authorised by the appropriate information Owner and allocated to employee, based on the minimum privileges required to fulfil their job function.
5.9 Administrator accounts shall only be granted to those users who require such access to perform their job function. Administrator accounts shall be strictly controlled and their use shall be logged, monitored and regularly reviewed.
5.10 Users with administrator access shall only access sensitive data if so required in the performance of a specific task.
5.11 Users with administrator access shall also have an unprivileged account, which shall be used for all purposes not requiring administrator access, including but not limited to electronic mail.
5.12 Line managers, information asset owners and authorised users shall ensure rights and privileges granted to Users of information assets are reviewed on at least every 6 months to ensure that they remain appropriate and to compare user functions with recorded accountability. This shall include access to user accounts, which shall be revoked when they have been inactive for more than 90 days.
5.13 Access shall be granted only to those systems or roles that are necessary for the job function of the user. Regular maintenance will address the management of privilege creep.
5.14 Detailed processes shall be developed and followed for terminating, modifying or revoking an employee's access, as part of the Movers/Leavers process.
5.15 In certain instances, particular access may be required for emergency reasons, such as undertaking emergency system maintenance. Requests for emergency access shall be directed to the OBU Chief Information Officer, or a member of the IT Services Executive, and shall be approved by the information asset owner or authorised user. Requests and approval should be documented, if possible, before the change is required stipulating an expiry period, which shall be enforced, for the access rights. A request for change shall be documented retrospectively where it is not possible to do this in advance.
5.16 All third party access (Contractors, Business Partners, Consultants, Vendors) shall be authorised by an appropriate information Owner and, if necessary, monitored.
5.17 Third Party Access to information assets shall be granted in increments according to business need and identified risks. Information asset owners shall specify access timeframes and be prepared to offer justification for such access.
5.18 Remote access to OBU's networks shall be appropriately authorised on a least privilege basis, with access only granted to systems and resources where there is an explicit business requirement. Only employees of the university or authorised third parties shall be able to connect to the university's corporate infrastructure remotely.
5.19 Only authorised personnel shall be given access to secure areas at the university's premises and any third party premises where sensitive information is processed or maintained, or physical assets are held.
5.20 All access to areas hosting systems that store, process, or transmit sensitive data (e.g. datacentres) shall be controlled, monitored by cameras and logged. Logs shall be regularly audited, correlated with other logs and securely stored for at least three months, unless otherwise restricted by law.
5.21 All visitors shall have authorisation prior to entering any of the university's sites where sensitive data is processed or maintained.
5.22 All visits shall be logged and details of logs retained for a minimum of one month, unless otherwise restricted by law. Reception staff shall be made aware of their responsibility to log every visitor to OBU sites.
5.23 Employees shall challenge and/or report any visitors found unsupervised or acting suspiciously at any site where sensitive OBU data is processed or maintained.
5.24 User account names and actions performed shall be recorded using Audit logging capabilities.
5.25 The IT Services Information Management Team shall maintain plans indicating time schedules of all information security access audits to be performed across OBU to ensure compliance with this Access Control Policy.
5.26 Site management shall perform a formal review of physical access rights at least every 6 months to identify unauthorised or expired access. Access controls shall be revoked in instances where access is no longer necessary for job function.
1.1 The University holds a large amount of information in a variety of media, physical and otherwise (including photos and videos). This includes personal and sensitive personal data, and also non-personal information which may be sensitive or commercially confidential (e.g. financial data) and may be subject to legal obligations of confidence, whether contractual or otherwise).
1.2 The University has legal responsibilities both under the Data Protection Act and in respect of its own business (for example, under the common law of confidence) to safeguard information in its control. Care should be taken to protect information, to ensure its integrity and to protect it from loss, theft or unauthorised access.
1.3 In the event of an information security incident (also referred to as a ‘data breach’), it is vital that appropriate action is taken to minimise associated risks. A risk analysis should be performed, factors which need to be considered are:
1.4 Any member of staff, student, contractor or pseudo-employee discovering or suspecting an information security incident must report it in accordance with this policy.
2.1 An information security incident in an event whereby data held by the University, in any format, is compromised by being lost, destroyed, altered, copied, transmitted, stolen, used or accessed unlawfully or by unauthorised individuals whether accidentally or on purpose. Some examples:
Loss, or theft of equipment on which data is stored, e.g laptop or mobile phone
Unauthorised access to data
Human error, e.g. emails to wrong recipient; public posting of confidential material online; incorrect sharing of Google documents
Failure of equipment or power leading to loss of data
Data maliciously obtained by way of social engineering (an attack in which a user is ‘tricked’ into giving a third party access, often by purporting to be someone other than they actually are)
2.2 Information security incident reporting also includes instances of ‘near misses’ and identification of vulnerabilities where IT Services considers there is a high likelihood of an actual incident occurring.
3.1 All Information security incidents should be reported immediately to The IT Service Desk (via phone on ext. no. 3311, or the ServiceNow Portal), as the primary point of contact.
3.2 The report should include full and accurate details of the incident, including who is reporting the incident; what type of data is involved (not the data itself unless specifically requested); if the data relates to people and if so, how many people are involved.
3.3. The IT Services Information Management team is responsible for maintaining a confidential log of all information security events..
4.1 The Information Management team will consider the report, and where appropriate, instigate a Response Team. IT Services will lead the Response team and membership will depend on the type and severity of the incident. The response team will be responsible for investigating the circumstances and effect of the information security incident. An investigation will be started into material breaches within 24 hours of the breach being discovered, where practicable.
4.2 The investigation will establish the nature of the incident, the type of data involved, whether the data is personal data relating to individuals or otherwise confidential or valuable. If personal data is involved, associated individuals must be identified and, if confidential / valuable data is concerned, what the legal and commercial consequences of the breach may be.
4.3 The investigation will consider the extent of the sensitivity of the data, and a risk assessment performed as to what might be the consequences of its loss. This will include risk of damage and/or distress to individuals and the institution.
4.4 The response team is responsible for formally documenting the incident and associated response. This information will (as a minimum) be subject to review by the Oxford Brookes University Information Security Working Group (ISWG) with serious incidents reviewed by the Chief Information Officer and other senior managers.
5.1 The Response Team and IT Services Lead will determine the appropriate course of action and the required resources needed to limit the impact of the breach. For instance this may require isolating a compromised section of the network; alerting relevant staff or contractors; changing access codes/locks or shutting down critical equipment.
5.2 Appropriate steps will be taken to recover data losses and resume normal business operation. This might entail attempting to recover any lost equipment, using backup mechanisms to restore compromised or stolen data and changing compromised passwords.
5.3 For incidents that involve a suspected or actual criminal offence all efforts will be made to preserve evidence integrity.
6.1 The details of the escalation and notification process are schematised in the appendix. A summary of this process is provided below.
6.2 The information management team is responsible for initial assessment of an incidents severity based on the scope, scale and risk of the incident.
6.3 This preliminary decision is then reviewed by the CIO and/or Director of IT Strategy, Information Management and Business Partnerships.
6.4 If at this stage the incident is deemed serious then the University Senior Management Team will be notified.
6.5 If a personal data breach has occurred of sufficient scale The Information Management team will notify the Information Commissioner’s Office (ICO) within the prescribed statutory time limits and manage all communications between the University and the ICO.
6.6 If the breach is deemed of sufficient seriousness (in line with ICO guidance), and concerns personal data, notice of the breach will be made to affected individuals to enable them to take steps to protect themselves. This notice will include a description of the breach and the steps taken to mitigate the risks, and will be undertaken by the Response Team. Liaison with the Police or other authorities may be required for serious events.
7.1 Once the incident is contained a thorough review of the event will be undertaken by the Response Team, to establish the cause of the incident, the effectiveness of the response and to identify areas that require improvement.
7.2 Recommended changes to systems, policies and procedures will be documented and implemented as soon as possible thereafter. Targeted training may be offered to the department affected.
7.3 All information security incidents will be subject to summary review by the ISWG so that any weaknesses or vulnerabilities that may have contributed to the incident can be identified, documented and resolved.
Download a pdf version
1 Introduction and Policy Objectives
1.1 The purpose of this Password Policy is to protect Oxford Brookes University (OBU) information assets from unauthorized use, and possible accidental or intentional misuse, through weak password security practice.
1.2 The policy applies to all users (students, staff, consultants, contractors and visitors) who have been given access to OBU information and communication systems or who are using third-party systems or services which have been contracted for by OBU.
1.3 On joining OBU staff shall be required as part of their terms and conditions that they will keep all personal secret authentication information private and keep any group secret authentication information solely within the members of the group.
2.1 All user-level and system-level passwords must conform to current best practice guidelines (so called, ‘strong’ passwords). For further information please contact the IT Service Desk, however in general ‘strong’ passwords have the following characteristics:
Contain both upper and lower case characters (e.g., a-z, A-Z)
Have digits and punctuation characters as well as letters e.g. 0-9, -_.!~*()
Are at least twelve alphanumeric characters long
Are not based on personal information, names of family, etc.
2.2 Users must not use the same password for OBU accounts as they do for personal / non-OBU accounts.
2.3 Where possible, users must not use the same password for different accounts.
2.4 User accounts that have system-level privileges granted through group memberships, or programs such as Sudo, must have a different password from all other accounts held by that user to access system-level privileges.
3.1 Users must abide by local or application-specific guidelines on the frequency of password changes. Changing passwords in itself is not a guarantee of security.
4.1 Passwords must not be shared with anyone (including other OBU staff). All passwords are to be treated as sensitive and confidential OBU information.
4.2 Do not write passwords down and store them in your office or place of work. Do not store passwords in a computer file unless the file itself is encrypted.
4.3 The use of ‘remember my password’ in applications (e.g. browsers) is not recommended for OBU passwords.
4.4 Any user that suspects their password may have been compromised must change it and inform the IT Service Desk immediately.
4.5 The use of password manager (also known as password vault) applications is permitted. For further information please contact the IT Service Desk.
5.1 It is recommended that users enable multi-factor authentication functionality on all system accounts where available
6. Application Development
6.1 Application developers must ensure that their programs contain the following security precautions:
Applications must support authentication of individual users, not groups
Applications must not store passwords in a reversible form and use PBKDF2 where possible.
All password hashes must be salted.
Applications must not transmit passwords in cleartext over the OBU network.
1.1 This document defines the Network Security Policy for Oxford Brookes University (OBU). The Network Security Policy applies to all network hardware, services on the network and network attached systems.
1.2 For the purpose of this policy a network is defined as Oxford Brookes University’s connected (physically and wirelessly) data network that allows computing devices (including phones) to exchange data.
1.3 The aim of this policy is to ensure the security of the network. To facilitate this, the university shall:
Protect assets against unauthorised access or disclosure (Confidentiality)
Protect the network from unauthorized or accidental modification and ensure the accuracy and completeness of data assets (Integrity)
Ensure the network is accessible how and when users need it (Availability)
2.1 To protect all hardware, software and information assets under its control. This will be achieved by implementing a set of well-balanced technical and non-technical measures.
2.2 To provide effective protection that is commensurate with the risks to OBU network assets.
2.3 To implement the policy and associated procedures in a consistent, timely and cost-effective manner.
2.4 To ensure OBU is compliant with all relevant legislation, including (but not limited to:
The Data Protection Act 1998
Computer Misuse Act 1990
Human Rights Act 1998
Freedom of Information Act 2000
Electronics Communications Act 2000
Copyright, Designs & Patents Act 1988
3.1 Network equipment (principally routers, switches and servers) shall be housed in a controlled and secure environment. Critical or sensitive network equipment will be housed in an environment that is monitored for temperature, humidity and power supply quality.
3.2 Critical or sensitive network equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls.
3.3 Critical or sensitive network equipment will be protected from power supply failures and protected by intruder alarms and fire suppression systems.
3.4 Smoking, eating and drinking is forbidden in areas housing critical or sensitive network equipment.
3.5 All visitors to secure network areas must be authorised by an appropriate manager.
3.6 All visitors to secure network areas must be made aware of network security requirements.
3.7 The movement of visitors to secure network areas must be recorded. The log will contain name, organisation, purpose of visit, date, and time in and out.
3.8 The Network Manager, or appropriate deputy, shall ensure that all relevant staff are made aware of procedures for visitors and that visitors are escorted when necessary.
4.1 Access to limited-access network services shall be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access. Remote access to the network will be via the University’s remote access software.
4.2 Departmental business managers will approve user access to systems including network access via standard staff joiner/leaver processes.
4.3 Access rights to network services will be allocated on the requirements of the user's role, rather than on a status basis.
4.4 All users users of network services will have their own individual user identification and password.
4.5 Users are responsible for ensuring their password is kept secret (please see OBU’s Password Policy for further details).
4.6 User access rights shall be removed or reviewed for those users who have left the University or changed roles as soon practically possible.
5.1 Third party access to network systems, services, hardware and network attached systems shall be based on a formal contract that satisfies all necessary security conditions.
5.2 All third party access to network systems, services, hardware and network attached systems must be logged.
5.3 For further information please refer to the University Third Party & Supply Chain Management Policy
6.1 The Network Manager will ensure that adequate maintenance contracts are maintained and periodically reviewed for all network equipment.
6.2 The Network Manager is responsible for ensuring that a log of all faults on network systems and equipment is maintained and reviewed.
6.3 OBU shall ensure that timely information regarding the technical vulnerabilities of information systems is obtained. Any vulnerability will be assessed and any risks will be appropriately controlled.
6.4 The use of privileged utility programs that may be capable of overriding system and application controls shall be controlled and restricted.
6.5 Operational software shall only be installed by authorised system administrators and authorised third-parties (see section 5).
7.1 Documented operating procedures should be prepared for the operation of network services and systems, to ensure their correct, secure operation.
7.2 Changes to operating procedures must be authorised by the Network Manager.
8.1 The Network Manager is responsible for ensuring that backup copies of network configuration data are taken regularly.
8.2 Documented procedures for backup processes and storage will be produced and communicated to all relevant staff.
9.1 The University will ensure that all users of network systems, services, hardware and network attached systems are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities.
9.2 All users of network services and systems must be made aware of the contents and implications of the Network Security Policy.
9.3 All users must ensure that they protect the network from unauthorised access. They must log off the network when finished working.
9.4 Irresponsible or improper actions by users may result in disciplinary action
10.1 Software to protect against malware should be installed on all client devices including mobile computing assets.
10.2 Software used to protect University systems against malware shall be regularly reviewed and updated.
10.3 Procedures on dealing with malware protection and attacks shall be developed and documented together with appropriate business continuity plans.
11.1 All network systems and services shall be synchronised using ntp.brookes.ac.uk
12.1 Adequate event logs recording network activity, exceptions, faults and information security events shall be produced, kept and regularly reviewed.
12.2 Logging facilities and log information shall be protected against tampering and unauthorised access.
12.3 The activity of privileged users shall be logged and the logs protected and regularly reviewed.
1.1 The University holds a large amount of information, both in hard and soft copy. This includes personal and sensitive personal data (as defined by the UK Data Protection Act, 1998), and also non-personal information, which could be sensitive or commercially confidential (e.g. financial data).
1.2 It is sometimes necessary when we are working with partner organisations or other institutions or on collaborative projects, to share personal data or information with those institutions or partners. This might entail:
The University may receive personal information from the institution or partner
The University may send personal information to the institution or partner
A request for personal information held by one or both of us
1.3 These partners might be our partner colleges or universities, or other institutions with whom we have a relationship. We may or may not have a formal contract with these institutions or partners. We must also consider the legislative implications that this might have on us at the university.
2.1 Disclosures of information should be relevant, proportionate and lawful.
2.2 All regular sharing of information to the same source should be governed by a data sharing agreement which sets out the protocols for:
What data is to be shared
For what purpose
Legal justifications for sharing
Benefits and risks of sharing
Information lifecycle (retention and disposal)
Responsibilities and liabilities in the event of information security incidents
Agreed methods of transfer
Appropriate audit trails and governance
Appropriate ID and background checks (where applicable)
3.1 Electronic Documents
3.1.1 Sufficiently secure methods must be used when transferring personal data.
3.1.2 In the case of confidential and/or sensitive data it is recommended that data is encrypted to an acceptable standard (i.e. compliant with FIPS 140-2 (cryptographic modules, software and hardware) and FIPS 19) prior to transfer and protectively marked.
3.1.3 Encryption passwords must not be relayed using the same communication channel as the data.
3.1.4 An audit trail of all transfers must be maintained in line with the retention policy.
3.1.5 If transfer is by email, information must be sent to named persons where possible, the use of group mailboxes is to be avoided.
3.1.6 Information no longer in use by either party must be securely deleted.
3.2 Hardcopy Documents
3.2.1 All hardcopy data must be posted using the University's approved mail delivery company.
3.2.2 All confidential and/or sensitive data must be identified and sent with the appropriate level of tracking via University’s approved mail delivery company.
3.2.3 Personal information must be labelled ‘private and confidential’ and ‘addressee only’ where appropriate.
1.1 This policy covers the use of non-University owned electronic devices to access corporate systems and process University information. Such devices include, but are not limited to, smartphones, tablets, laptops and similar technologies. This is commonly known as ‘Bring Your Own Device’ or BYOD.
1.2 If you wish to BYOD to access University systems, data and information, you may do so provided that you follow the provisions of this policy and the advice and guidance provided through the IT Services Service Desk.
1.3 The University is keen to have an agile, flexible and responsive workforce. Therefore the University has actively encouraged BYOD, enforcing as few technical and procedural constraints as possible whilst still satisfying its legal compliance obligations.
2.1 BYOD – Bring Your Own Device refers to Users using their own device (which is not owned or provided to them by the University) to process University information, whether at the place of work or remotely, typically connecting to the University or other Wi-Fi Service.
2.2 As the device is not owned by the University there is no guarantee that support will be provided for the device and any faults of software, hardware or peripherals must be rectified by the owner at their cost.
3.1 The University takes Information and Systems Security very seriously and invests significant resources to protect its data. The University’s data, irrespective of what device is used to process it, remains an asset of the University.
3.2 When using the device to process University data the user must adhere to policies of the university including the IT Acceptable Use Policy
3.3. If a personal device is used for work purposes, the user must take all reasonable steps to secure the device from risks such as:
Loss or theft of device
Unauthorized access of the device or University data
Malicious software attacks
Such steps may include:
Encryption of the device
PIN, passphrase or biometric access control
Not retaining any data locally on the device
Regular and timely security updates
Ensuring that the device manufacturer’s security mechanisms are not bypassed (Jailbreaking, rooting, etc.)
Activating any tracking or locating software available on the device
Ensure all University data is removed from the device when it is sold, recycled or transferred to a third-party.
4.1 Although the University will not monitor personal devices, in some cases the University may monitor the flow of University data between a device and its systems.
5.1 Where the processing of sensitive personal data (as defined by the UK Data Protection Act, 1998) is deemed necessary for operational purposes an appropriate manager should assess the risks and decide if this is appropriate.
6.1 Data must be handled in accordance with the University’s Intellectual Property Policy. On termination of employment the user may be required to return or delete data as instructed by Oxford Brookes University
6.2 The User must take reasonable steps to ensure that personal data is sufficiently segregated from Oxford Brookes University data on the device. Such steps must ensure that University data will not be merged with an employee's personal data. This must be done to a degree that that non-employees, such as family members who use the device, do not have the ability to access University data