Information Security Management

In 2019, Oxford Brookes achieved the globally recognised information security certification ISO/IEC 27001, as part of its commitment to protecting its information and that of its staff, students and partners.

This certification applies to all staff and associates provided with access to Oxford Brookes' information assets and network services, all information assets and the associated business processes that support the provision of education and ancillary University services.

The benefits of the ISO 27001 framework

Benefits of the framework are:

  • Colleagues, students and parents can be confident that all University information captured and stored is validated by an internationally recognised framework.
  • It ensures that a common set of policies, procedures and controls are in place to manage any risks to information security and to reduce the number of data breaches.
  • It illustrates the University’s commitment to information security at all levels.
  • Improving the auditing and organisation of University information, making the operation more efficient.
  • A training and awareness programme to help all colleagues, students and key stakeholders understand their responsibilities when handling personal or University data.

Information classification

When creating any form of information on behalf of the University, content owners need to assign it one of the following categories:

Public

Information classed as public

This information can be readily shared and made publicly available with no adverse consequences for any organisation or individual. Typical content might be:

  • news and updates,
  • external website content,
  • most policy documents,
  • published research,
  • published accounts,
  • most personal correspondence.

Restricted access

Information classed as restricted

This information can be shared appropriately with a limited audience, usually but not exclusively within the University. Some of the features attributed to “Confidential” information apply, yet the implications associated with sharing this information are less serious. This information could be financial or commercial value, or be subject to intellectual property, trademark or other legal protection. It would be likely to include what is now called “Personal” Data. Typical content might be:

  • most professional correspondence,
  • individual student marks and feedback,
  • emails and documents containing limited personal data,
  • policy, procedure and planning documents with technical or commercially sensitive information,
  • non-confidential meeting agenda and minutes,
  • pre-publication research data,
  • most financial data.

Confidential

Information classed as confidential

This information has a significant value for Oxford Brookes University, another organisation or individual. Wrongful disclosure could impact the reputation or standing of an organisation or an individual, the safety of an individual or could cause significant financial loss. Information of this type is shared on a “need to know basis” only. This classification will include Special Category of Personal Data as defined in Data Protection Law. Large amounts of datasets of information which would otherwise be classified as “Restricted” were it a smaller amount, may become classified as “Confidential” by merit of the quantity of data involved. If in doubt as to whether a dataset is large, query this with the Information Security team by email using info.sec@brookes.ac.uk 

Typical content might be:

  • emails and documents containing large amounts (200+ records) of student personal data - grades, names and addresses,
  • HR records
  • student wellbeing records
  • emails and documents that include special category personal data of staff and students - race, ethnicity, religion, health, political beliefs, genetic or biometric data, trade union membership, criminal convictions and sexual orientation.
  • materials received from third-parties that are proactively marked as ‘confidential’.

Please take a look at some typical scenarios for classifying work-related information:

Access control

Scenario Public Restricted Confidential
Internal access Unrestricted dissemination via email or hard copy. Dissemination only to appropriate staff and affiliates. Access restricted to named individuals only.
External access Unrestricted dissemination providing this doesn't violate any laws. Oxford Brookes should be identified as the source of the material. Information should be provided to third parties about who is allowed access to the information. Access restricted to named individuals only.

Hard copy information (print)

Scenario Public Restricted Confidential
Storage No restrictions. If appropriate to retain, information should be stored out of sight when not in use. Should not be stored in publicly accessible areas. Information should be stored in a securely locked drawer or cabinet when not in use.
Sharing No restriction providing this doesn't violate any laws or regulations (eg copyright laws). Use internal mail system. Consider use of special or tracked delivery for external sharing. Use of sealed envelopes with recipient clearly named for internal post, consider use of hand delivery if appropriate. Courier or tracked delivery must be used for external sharing.

Email

Scenario Public Restricted Confidential
Internal No security restrictions, communications or local procedures may apply. Ensure correct recipients are selected. Consider use of shared links to files instead of attachments if access control is required. Only send to colleagues @brookes.ac.uk addresses. Double check correct recipients are selected. Local procedures may require checking by a second person. Email should be proactively labelled as 'confidential'. Only send to colleagues @brookes.ac.uk addresses. Use bcc where appropriate. Bulk confidential information should not be displayed in the body text of the email, use a password-protected attachment or Google Drive file link instead.
External No security restrictions, communications or local procedures may apply. Ensure correct recipients are selected. Non-disclosure or information sharing agreement may be required for sharing bulk data via email.

Consider whether sharing such information by email is appropriate. Double check correct recipients are selected. Email should be proactively labelled as 'confidential'. Use bcc where appropriate. Attached files must be encrypted and passwords communicated by a separate medium (eg by phone or text to a trusted mobile phone number.)

Bulk confidential information must not be displayed in the body-text of the email.

Consider use of secure (encrypted) email service, service should be approved by IT Services prior to use

Bulk emailing Please read the bulk emailing guidelines.

Please read the bulk emailing guidelines.

Bulk emailing of confidential information should be avoided and must be approved by IT Services.

Electronic documents / files

Scenario Public Restricted Confidential
Internal storage No restrictions although local procedures may apply.

Use access-controlled network shared drives or Google Drive. Information should not be stored on local computer drives (i.e. C: drive of laptop or desktop computer).


Use network shared drives or Google Drive, access to files must be confirmed and regularly reviewed. Consider use of password protection / encryption for highly confidential documents. Further related guidance.

External storage

No restrictions although local procedures may apply. Use of centrally managed University services is recommended.

Only use external / cloud hosted services approved by IT Services.

Only use external / cloud hosted services approved by IT Services. Use of personal cloud storage accounts to store confidential data is strictly forbidden.

File sharing No restrictions although local procedures may apply. Use of University email or centrally managed services ie Google Drive is recommended.

Only use commercial or third-party file sharing services approved by IT Services. Contracts, non-disclosure or information sharing agreements may be required for sharing confidential data with third parties. Please check first with IT Services.

Only use commercial or third-party file sharing services approved by IT Services. Contracts, non-disclosure or information sharing agreements are required for sharing confidential data with third parties.

Mobile devices

Scenario Public Restricted Confidential
Laptops No restrictions, data may be stored on University-owned or personal devices. Information should not be stored on local laptop drives unless necessary for business reasons and approved by the faculty or directorate data owner. Use of personal laptops for using and storing restricted information is not recommended. Confidential information must only be stored on centrally managed laptops with appropriate drive encryption. For further details please speak to the IT Service Desk.
Mobile phones and tablets No restrictions, data may be stored on University-owned or personal devices. Data may be stored on devices where access is authenticated using a PIN, password etc. Physical security of device should be ensured.

Confidential data should only be stored on managed mobile devices with appropriate security verified by IT Services. Physical security of device should be ensured.

USB and external drives No restrictions, data may be stored on University-owned or personal devices.

Drives must be encrypted to a minimum of AES128, check with IT Services if in doubt. For details of how to encrypt removable drives please see here or speak to the IT Service Desk.

Storage of confidential data on USB and external drives is not recommended and the approval of IT Services and Faculty / Directorate data owner must be sought before use. Drives must be encrypted to a minimum of AES128, please check with IT Services if in doubt. For details of how to encrypt removable drives please see here or speak to the IT Service Desk.

Voice

Public Restricted Confidential
No restrictions. Consideration should be given to who may overhear conversations and if it is appropriate to discuss subject matter with the individual. Calls and conversations regarding confidential data should not be held in locations where non-authorised individuals may overhear them.

Websites

Public Restricted Confidential
Websites should use https and be approved by IT Services or the central web team before being published. Websites should use https, include appropriate access controls and be approved by IT Services or the central web team before being published. Websites must use https and appropriate authentication and access control. They must be approved by IT Services before being published.

Deletion / destruction

Public Restricted Confidential
No security restrictions, local procedures may apply. Wastepaper should be disposed of using University provided secure waste disposal facilities. If off-site, a cross-cut shredder should be used. IT Services will arrange secure disposal of data-bearing electronic devices.

To request secure disposal of an IT asset please use the IT web portal.

Wastepaper should be disposed of using University provided secure waste disposal facilities. If off-site, a cross-cut shredder should be used. IT Services will arrange secure disposal of data-bearing electronic devices, self disposal of devices is strictly forbidden. To request secure disposal of an IT asset please use the IT web portal.

Classification and labelling

Public Restricted Confidential
No labelling required. Information should be labelled as 'restricted' or 'internal use only'. Information must be proactively labelled as 'confidential'.
ISO 27001 certified

Contact us

Information Security Office

Oxford Brookes University
Headington Campus
Gipsy Lane
Oxford OX3 0BP

+ 44 (0) 1865 484354
info.sec@brookes.ac.uk

Useful resources