Go to the Students section
Go to the Staff section
Go to the Alumni section
Go to the Study here section
Go to the International section
Go to the About section
Go to the Research section
Go to the Business and Employers section
Go to the Support us section
In 2019, Brookes achieved the globally recognised information security certification ISO/IEC 27001, as part of its commitment to protecting its information and that of its staff, students and partners.
This certification applies to all staff and associates provided with access to Brookes information assets and network services, all information assets and the associated business processes that support the provision of education and ancillary University services.
The benefits of the ISO 27001 framework include:
When creating any form of information on behalf of the University, content owners need to assign it one of the following categories:
This information can be readily shared and made publicly available with no adverse consequences for any organisation or individual. Typical content might be:
This information can be shared appropriately with a limited audience, usually but not exclusively within the University. Some of the features attributed to “Confidential” information apply, yet the implications associated with sharing this information are less serious. This information could be financial or commercial value, or be subject to intellectual property, trademark or other legal protection. It would be likely to include what is now called “Personal” Data. Typical content might be:
This information has a significant value for Oxford Brookes University, another organisation or individual. Wrongful disclosure could impact the reputation or standing of an organisation or an individual, the safety of an individual or could cause significant financial loss. Information of this type is shared on a “need to know basis” only. This classification will include Special Category of Personal Data as defined in Data Protection Law. Large amounts of datasets of information which would otherwise be classified as “Restricted” were it a smaller amount, may become classified as “Confidential” by merit of the quantity of data involved. If in doubt as to whether a dataset is large, query this with the Information Security team by email using email@example.com Typical content might be:
Please take a look at some typical senarios for classifying work-related information:
Ensure correct recipients are selected. Non-disclosure or information sharing agreement may be required for sharing bulk data via email.
Consider whether sharing such information by email is appropriate. Double check correct recipients are selected. Email should be proactively labelled as 'confidential'. Use bcc where appropriate. Attached files must be encrypted and passwords
communicated by a separate medium (eg by phone or text to a trusted mobile phone number.)
Bulk confidential information must not be displayed in the body-text of the email.
Consider use of secure (encrypted) email service, service should be approved by IT Services prior to use
the bulk emailing guidelines.
Bulk emailing of confidential information should be avoided and must be approved by IT Services.
Use access-controlled network shared drives or Google Drive. Information should not be stored on local computer drives (i.e. C: drive of laptop or desktop computer).
No restrictions although local procedures may apply. Use of centrally managed University services is recommended.
Only use external / cloud hosted services approved by IT Services.
Only use external / cloud hosted services approved by IT Services. Use of personal cloud storage accounts to store confidential data is strictly forbidden.
Only use commercial or third-party file sharing services approved by IT Services. Contracts, non-disclosure or information sharing agreements may be required for sharing confidential data with third parties. Please check first with IT Services.
Only use commercial or third-party file sharing services approved by IT Services. Contracts, non-disclosure or information sharing agreements are required for sharing confidential data with third parties.
Confidential data should only be stored on managed mobile devices with appropriate security verified by IT Services. Physical security of device should be ensured.
Drives must be encrypted to a minimum of AES128, check with IT Services if in doubt. For details of how to encrypt removable drives please see
or speak to the IT Service Desk.
Storage of confidential data on USB and external drives is not recommended and the approval of IT Services and Faculty / Directorate data owner must be sought before use. Drives must be encrypted to a minimum of AES128, please check with IT
Services if in doubt. For details of how to encrypt removable drives please see
or speak to the IT Service Desk.
Websites must use https and appropriate authentication and access control. They must be approved by IT Services before being published.
To request secure disposal of an IT asset please use
the IT web portal.