In 2019, Oxford Brookes achieved the globally recognised information security certification ISO/IEC 27001, as part of its commitment to protecting its information and that of its staff, students and partners.
This certification applies to all staff and associates provided with access to Oxford Brookes' information assets and network services, all information assets and the associated business processes that support the provision of education and ancillary University services.
The benefits of the ISO 27001 framework
Benefits of the framework are:
- Colleagues, students and parents can be confident that all University information captured and stored is validated by an internationally recognised framework.
- It ensures that a common set of policies, procedures and controls are in place to manage any risks to information security and to reduce the number of data breaches.
- It illustrates the University’s commitment to information security at all levels.
- Improving the auditing and organisation of University information, making the operation more efficient.
- A training and awareness programme to help all colleagues, students and key stakeholders understand their responsibilities when handling personal or University data.
When creating any form of information on behalf of the University, content owners need to assign it one of the following categories:
Please take a look at some typical scenarios for classifying work-related information:
Access control
| Scenario | Public | Restricted | Confidential |
|---|---|---|---|
| Internal access | Unrestricted dissemination via email or hard copy. | Dissemination only to appropriate staff and affiliates. | Access restricted to named individuals only. |
| External access | Unrestricted dissemination providing this doesn't violate any laws. Oxford Brookes should be identified as the source of the material. | Information should be provided to third parties about who is allowed access to the information. | Access restricted to named individuals only. |
Hard copy information (print)
| Scenario | Public | Restricted | Confidential |
|---|---|---|---|
| Storage | No restrictions. | If appropriate to retain, information should be stored out of sight when not in use. Should not be stored in publicly accessible areas. | Information should be stored in a securely locked drawer or cabinet when not in use. |
| Sharing | No restriction providing this doesn't violate any laws or regulations (eg copyright laws). | Use internal mail system. Consider use of special or tracked delivery for external sharing. | Use of sealed envelopes with recipient clearly named for internal post, consider use of hand delivery if appropriate. Courier or tracked delivery must be used for external sharing. |
| Scenario | Public | Restricted | Confidential |
|---|---|---|---|
| Internal | No security restrictions, communications or local procedures may apply. | Ensure correct recipients are selected. Consider use of shared links to files instead of attachments if access control is required. Only send to colleagues @brookes.ac.uk addresses. | Double check correct recipients are selected. Local procedures may require checking by a second person. Email should be proactively labelled as 'confidential'. Only send to colleagues @brookes.ac.uk addresses. Use bcc where appropriate. Bulk confidential information should not be displayed in the body text of the email, use a password-protected attachment or Google Drive file link instead. |
| External | No security restrictions, communications or local procedures may apply. | Ensure correct recipients are selected. Non-disclosure or information sharing agreement may be required for sharing bulk data via email. | Consider whether sharing such information by email is appropriate. Double check correct recipients are selected. Email should be proactively labelled as 'confidential'. Use bcc where appropriate. Attached files must be encrypted and passwords communicated by a separate medium (eg by phone or text to a trusted mobile phone number.) Bulk confidential information must not be displayed in the body-text of the email. Consider use of secure (encrypted) email service, service should be approved by IT Services prior to use |
| Bulk emailing | Please read the bulk emailing guidelines. | Please read the bulk emailing guidelines. | Bulk emailing of confidential information should be avoided and must be approved by IT Services. |
Electronic documents / files
| Scenario | Public | Restricted | Confidential |
|---|---|---|---|
| Internal storage | No restrictions although local procedures may apply. | Use access-controlled network shared drives or Google Drive. Information should not be stored on local computer drives (i.e. C: drive of laptop or desktop computer). | Use network shared drives or Google Drive, access to files must be confirmed and regularly reviewed. Consider use of password protection / encryption for highly confidential documents. Further related guidance. |
| External storage | No restrictions although local procedures may apply. Use of centrally managed University services is recommended. | Only use external / cloud hosted services approved by IT Services. | Only use external / cloud hosted services approved by IT Services. Use of personal cloud storage accounts to store confidential data is strictly forbidden. |
| File sharing | No restrictions although local procedures may apply. Use of University email or centrally managed services ie Google Drive is recommended. | Only use commercial or third-party file sharing services approved by IT Services. Contracts, non-disclosure or information sharing agreements may be required for sharing confidential data with third parties. Please check first with IT Services. | Only use commercial or third-party file sharing services approved by IT Services. Contracts, non-disclosure or information sharing agreements are required for sharing confidential data with third parties. |
Mobile devices
| Scenario | Public | Restricted | Confidential |
|---|---|---|---|
| Laptops | No restrictions, data may be stored on University-owned or personal devices. | Information should not be stored on local laptop drives unless necessary for business reasons and approved by the faculty or directorate data owner. Use of personal laptops for using and storing restricted information is not recommended. | Confidential information must only be stored on centrally managed laptops with appropriate drive encryption. For further details please speak to the IT Service Desk. |
| Mobile phones and tablets | No restrictions, data may be stored on University-owned or personal devices. | Data may be stored on devices where access is authenticated using a PIN, password etc. Physical security of device should be ensured. | Confidential data should only be stored on managed mobile devices with appropriate security verified by IT Services. Physical security of device should be ensured. |
| USB and external drives | No restrictions, data may be stored on University-owned or personal devices. | Drives must be encrypted to a minimum of AES128, check with IT Services if in doubt. For details of how to encrypt removable drives please see here or speak to the IT Service Desk. | Storage of confidential data on USB and external drives is not recommended and the approval of IT Services and Faculty / Directorate data owner must be sought before use. Drives must be encrypted to a minimum of AES128, please check with IT Services if in doubt. For details of how to encrypt removable drives please see here or speak to the IT Service Desk. |
Voice
| Public | Restricted | Confidential |
|---|---|---|
| No restrictions. | Consideration should be given to who may overhear conversations and if it is appropriate to discuss subject matter with the individual. | Calls and conversations regarding confidential data should not be held in locations where non-authorised individuals may overhear them. |
Websites
| Public | Restricted | Confidential |
|---|---|---|
| Websites should use https and be approved by IT Services or the central web team before being published. | Websites should use https, include appropriate access controls and be approved by IT Services or the central web team before being published. | Websites must use https and appropriate authentication and access control. They must be approved by IT Services before being published. |
Deletion / destruction
| Public | Restricted | Confidential |
|---|---|---|
| No security restrictions, local procedures may apply. | Wastepaper should be disposed of using University provided secure waste disposal facilities. If off-site, a cross-cut shredder should be used. IT Services will arrange secure disposal of data-bearing electronic devices. To request secure disposal of an IT asset please use the IT web portal. | Wastepaper should be disposed of using University provided secure waste disposal facilities. If off-site, a cross-cut shredder should be used. IT Services will arrange secure disposal of data-bearing electronic devices, self disposal of devices is strictly forbidden. To request secure disposal of an IT asset please use the IT web portal. |
Classification and labelling
| Public | Restricted | Confidential |
|---|---|---|
| No labelling required. | Information should be labelled as 'restricted' or 'internal use only'. | Information must be proactively labelled as 'confidential'. |
Information Security Office
Oxford Brookes University
Headington Campus
Gipsy Lane
Oxford OX3 0BP
+ 44 (0) 1865 484354
info.sec@brookes.ac.uk