IT News

Information Security Policy

Download a pdf version

1. Introduction

Oxford Brookes University recognises that information and the associated processes, systems and networks are valuable assets and that the management of personal data has important implications for individuals. Through its security policies, procedures and structures, the University will facilitate the secure and uninterrupted flow of information, both within the University and in external communications. The University believes that security is an integral part of the information sharing which is essential to academic and corporate endeavour and this Policy is intended to support information security measures throughout the University.

2. Definition

2.1 For the purposes of this document, information security is defined as the preservation of:

• confidentiality: protecting information from unauthorised access and disclosure
• integrity: safeguarding the accuracy and completeness of information and processing methods
• availability: ensuring that information and associated services are available to authorised users when required.

2.2 Information exists in many forms. It may be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations.

3. Protection of Personal Data

The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. When handling such information, the University, and all staff or others who process or use any personal information, must comply with the Data Protection Principles which are set out in the Data Protection Act 2018 (the 2018 Act). Responsibilities under the 2018 Act are set out in the Data Protection Policy.

4. Information Security Responsibilities

4.1 The University believes that information security is the responsibility of all students and members of staff. Every person handling information or using University information systems is expected to observe the information security policies and procedures, both during and, where appropriate, after his or her time at the University.

4.2 This Policy is the responsibility of the Executive Board; supervision of the Policy will be undertaken by the Senior Management Team. This policy may be supplemented by more detailed interpretation for specific sites, systems and services (see relevant policies and regulations). Implementation of information security policy is managed through the Information Security Working Group which reports to the Chief Information Officer.

4.3 The University’s IT Services directorate has operational responsibility for the University’s IT systems and will therefore take action wherever necessary to protect those systems.

5. Information Security Education and Training

The University recognises the need for all staff, students and other users of University systems to be aware of information security threats and concerns, and to be equipped to support University security policy in the course of their normal work. The Information Compliance team has implemented a training programme in data protection for all members of staff who process personal data and, at the behest of the University's Faculties and Directorates, will provide or arrange the provision of training in information security matters to answer particular requirements.

6. Compliance with Legal and Contractual Requirements

6.1 Authorised Use: University IT facilities must only be used for authorised purposes. The University may from time to time monitor or investigate usage of IT facilities; and any person found using IT facilities or systems for unauthorised purposes, or without authorised access, may be subject to disciplinary, and where appropriate, legal proceedings.

6.2 Monitoring of Operational Logs: The University shall only permit the inspection and monitoring of operational logs by the appropriate staff from the University’s IT Services directorate or where it has been otherwise authorised. Disclosure of information from such logs, to officers of the law or to support disciplinary proceedings, shall only occur (i) when required by or consistent with law; (ii) when there is reason to believe that a violation of law or of a University policy has taken place; or (iii) when there are compelling circumstances (circumstances where failure to act may result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of University policies).

6.3 Access to University Records: In general, the privacy of users' files will be respected but the University reserves the right to examine systems, directories, files and their contents, to ensure compliance with the law and with University policies and regulations, and to determine which records are essential for the University to function administratively or to meet its teaching obligations. Except in emergency circumstances, authorisation for access must be obtained from the Chief Information Officer or the Chief Information Officer’s nominee, and shall be limited to the least perusal of contents and the least action necessary to resolve the situation.

6.4 Protection of Software: To ensure that all software and licensed products used within the University comply with the Copyright, Designs and Patents Act 1988 and subsequent Acts, the University may carry out checks from time to time to ensure that only authorised products are being used. Unauthorised copying of software or use of unauthorised products by staff or students may be grounds for disciplinary, and where appropriate, legal proceedings.

6.5 Virus Control: The University will maintain detection and prevention controls to protect against malicious software and unauthorised external access to networks and systems. All users of electronic devices issued by the University or used for University business shall comply with best practice, as determined from time to time by the University’s IT Services, in order to ensure that up-to-date virus protection is maintained.

7. Asset Management

All University information assets (data, software, computer and communications equipment) shall be accounted for and have a designated owner. The owner shall be responsible for the maintenance and the protection of the asset/s concerned.

8. Physical and Environmental Security

Physical security and environmental conditions must be commensurate with the risks to the area concerned. In particular, critical or sensitive information processing facilities must be housed in secure areas protected by defined security perimeters with appropriate security barriers and/or entry controls.

9. Information Systems Acquisition, Development and Maintenance

9.1 Information security risks must be identified at the earliest stage in the development of business requirements for new information systems or enhancements to existing information systems.

9.2 Controls to mitigate the risks must be identified and implemented where appropriate.

10. Access Control

10.1 Access to information and information systems must be driven by business requirements and be commensurate and proportionate to the business need.

10.2 A formal access control procedure shall be required for access to all information systems and services.

11. Communications and Operations Management

Responsibilities and procedures for the management, operation and ongoing security and availability of all data and information processing facilities must be established.

12. Retention and Disposal of Information

All staff have a responsibility to consider security when disposing of information in the course of their work. Owners of information assets should establish procedures appropriate to the information held and processed and ensure that all staff are aware of those procedures. Retention periods should be set in consultation with the University Records Manager.

13. Reporting

All staff, students and other users should report immediately via the Servicedesk portal https://service.brookes.ac.uk, or by telephone to the Service Desk on tel. ext. 3311, any observed or suspected security incidents where a breach of the University's security policies has or may have occurred, and any security weaknesses in, or threats to, systems or services.

14. Business Continuity

The University will implement, and regularly update, a business continuity management process to counteract interruptions to normal University activity and to protect critical processes from the effects of failures or damage to vital services or facilities. A copy of the Oxford Brookes Business Continuity Policy can be found on the Business Continuity page.

DATA PROTECTION AND PRIVACY POLICY

Download a PDF copy

1. Introduction

1.1 General

The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. When handling such information, the University, and all staff or others who process or use any personal information, must comply with the Principles which are set out in the UK Data Protection Act 2018.

In summary these state that personal data shall be:

1. Processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’.)

2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).

4. Accurate and, where necessary, kept up to date (“accuracy”).

5. Kept in a form which permits identification for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”).

6. Processed in a manner that ensures appropriate security using appropriate technical or organisational measures of the personal data (“integrity and confidentiality”).

7. The controller shall be responsible for and be able to demonstrate compliance with the principles (“accountability”).

1.2 Definitions

“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Staff", "students" and "other data subjects" may include past, present and potential members of those groups.

"Other data subjects" and "third parties" may include contractors, suppliers, contacts, referees, friends or family members.

"Processing" refers to any action involving personal information, this includes emailing collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Data Subjects” refers to any natural person whose personal data the University processes or is likely to process.

“Data Protection Law” in the UK principally refers to the 2018 Data Protection Act (‘the Act’). The EU General Data Protection Regulation (GDPR) was introduced in 2018 with the intention of harmonising data protection legislation across the European Union.

“Special Category Data” Special category data is personal data which the Act defines as sensitive data that requires additional; safeguards. Types of personal data which fall into special categories are defined in 7.1

2 Privacy Notices

2.1 Standard Privacy Notices

In order to provide fair and transparent processing under the first principle, the university will provide a privacy notice at the point of collection of personal data.

This will contain:

• Purpose of Processing

• Legal Basis for Processing

• Who personal data will be shared with

• Information about international transfers

• A list of subjects’ rights

• Consequences of not providing the data

• Details of any automated processing

• Retention periods

• Contact details of the Brookes’ Data Protection Officer

Where the data has not been acquired directly, the University will state:

• What types of personal data we will use

• The source of the personal data

2.2 Summary Privacy Notices

In some instances, it will be impractical or impossible to display a full privacy notice. In such cases we will display a summary privacy notice which will contain:

• Data protection contact details for the University.

• Purpose of the processing

• Legal basis for processing

• Link to the full privacy notice

3. Staff Responsibilities

3.1 Staff Personal Data

All staff are data subjects of the University and are subject to the rights listed in section 5.2

3.1.1 Data protection compliance is the responsibility of the entire university and staff must ensure that personal data the university holds on them is kept accurate and up to date.

3.2 Processing Personal Data

3.2.1 Staff shall ensure that appropriate organisational and technical measures are taken to secure any personal data that is processed. This includes:

• Personal data is stored securely and access to personal data is controlled on a need to know basis.

• All reasonable steps are undertaken to ensure that personal data is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party. Unauthorised disclosure may be a disciplinary matter for staff and may be considered gross misconduct in some cases.

• Staff are required to adhere to IT Acceptable Use Policy – See /it/information-security/policies-procedures-legislation/

3.2.2 All staff must undertake the University’s mandatory Information Security Awareness Training.

4. Student Responsibilities

4.1 All students shall ensure that all personal information which they provide to the University is accurate and up-to-date.

4.1.1 Inform the University of any changes to that information.

4.1.2 Students should periodically check personal data the University holds about them and either update it through a self-service portal or inform the University of any amendments or corrections which are needed.

4.2 Students who use the University IT facilities may, from time to time, process personal information (for example, in course work or research). In those circumstances, they must notify their course tutor or research supervisor in the relevant Faculty who will provide further information about their responsibilities in processing personal data.

5. Rights of Data Subjects

5.1 Right of Access

5.1.1 Staff, students and other data subjects of the University have the right to access personal data that about them. Any person may exercise this right by submitting a request in writing to the IT Services Information Security Team.

5.1.2 The University will not make a charge for such requests. Where the University deems the requests to be manifestly unfounded or excessive the University will charge a fee based on resources needed to fulfil the request.

5.1.3 The University aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within one month unless where requests are complex or numerous. In such cases the statutory time frame can be extended by two months. Where the extension is needed, the reason for the extension will be explained in writing by the Information Compliance Manager to the data subject making the request within one month.

5.2 Other Rights

5.1.1 Data subject have additional rights under the legislation:

• The right to be informed

• The right to rectification

• The right to erasure

• The right to restrict processing

• The right to data portability

• The right to object

• Rights in relation to automated decision making and profiling.

5.1.2 The University will take appropriate steps to ensure necessary policy and procedures are in place to allow subjects to exercise their rights as stated in 5.1.1.

6. Lawful Processing and Consent

6.1 Where the University processes personal data it must provide a lawful basis for processing. The University will use the following lawful basis:

• Consent: the subject has given clear consent for the University to process their personal data for a specific purpose.

• Contract: the processing is necessary for a contract the University have with the individual, or because they have asked the University to take specific steps before entering into a contract.

• Legal obligation: the processing is necessary for the University to comply with the law.

• Vital interests: the processing is necessary to protect someone’s life.

• Public task: the processing is necessary for the University to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

• Legitimate interests - Processing is necessary for the purposes of the legitimate interests pursued by the University with full consideration to safeguard the rights and freedoms of data subject.

7. Special Category Data & Criminal Convictions

7.1 The University will not process any data relating to:

• Racial or ethnic origin

• Political opinions

• Religious or philosophical beliefs

• Trade union membership

• Genetic data or biometric data

• Health data

• Sexual life or sexual orientation

• Criminal proceeding or convictions

Unless one of the conditions is 7.2 is fulfilled.

7.2 The University will only process special categories where:

• Explicit consent of the subject has been obtained.

• Processing is necessary for employment, social security or social protection purposes.

• It is necessary to protect the vital interests of the subject themselves or others.

• It is necessary for the legitimate interests of the university and will not be shared externally without consent.

• The data has been wilfully made public by the data subject.

• It is necessary for legal proceedings.

• It is necessary for reasons of substantial public interest.

• It is necessary for medical or social care reasons.

• It is necessary for reasons of public interest in the area of public health.

• It is necessary for archiving purposes.

8. Data Protection Officer

8.1 Designation of the Data Protection Officer (DPO).

8.1.1 The University will appoint a Data Protection Officer in accordance with article 37 of the GDPR.

8.1.2 The University’s Information Security Team will be the point of contact and will facilitate appropriate information sharing with the designated DPO.

9. Retention of Data

9.1 The University throughout its faculties and departments processes personal data for many different lawful purposes. The University will maintain a records retention schedule on which decisions on how long personal data can be retained for the specified purpose. The retention schedule is published and can be found at /it/information-security/records-management

10. Compliance

10.1 Compliance with the Act is the responsibility of all students and members of staff. Any deliberate or reckless breach of this Policy may lead to disciplinary, and where appropriate, legal proceedings. The University has a dedicated Information Security Team and any questions or concerns about the interpretation or operation of this policy should be taken up with them in the first instance on extension 5420 or by e-mail at info.sec@brookes.ac.uk.

10.2 Any data subject who considers that the policy has not been followed in respect of their personal data should report it to the University Information Security Team.

11. Data Protection Breach Management

11.1 A data protection breach is where any personal data held by the University, in any format, is compromised by being lost, destroyed, altered, copied, transmitted, stolen, used or accessed unlawfully or by unauthorised individuals whether accidentally or on purpose. Such as:

• Loss or theft of equipment on which data is stored, e.g. laptop or mobile phone.

• Unauthorised access to data

• Emails sent to wrong recipients

• Public posting of confidential material online

• Incorrect sharing of Google documents

• Failure of equipment or power leading to loss of data

• Hacking attack

• Data maliciously obtained by way of social engineering

11.2 The University shall maintain and publish an Information Security Incident Management Policy. This Policy can be found at /it/information-security/policies-procedures-legislation/

11.3 All such breaches must be reported immediately to The IT Service Desk (via phone on ext. no. 3311, or https://service.brookes.ac.uk/brookes/

12. Register of Processing Activity

12.1 The University shall maintain a register of processing activity in accordance with article 30 of the GDPR.

12.2 The register described in 12.1 shall be periodically updated when required and reviewed by data owners at least once within a period of 12 calendar months.

13. Privacy Impact Assessments (PIA)

13.1 Where a new, or change of existing, processing activity may result in a risk to the rights and freedoms of data subjects, the University will conduct a Privacy Impact Assessment (PIA).

13.2 The University will embed PIA within its project governance procedures so that privacy risks are identified and assessed at point of proposal.

13.3 Any changes to existing processing activities captured in the register of processing activity deemed to be privacy intrusive will require a PIA.

14. Processing Personal Data for Research

14.1 Where processing data for research purposes you must ensure that you obtain consent in accordance with the Act

14.2 The University Research Ethics Committee (UREC) will be able to provide assistance.

You can find guidance at: https://www.brookes.ac.uk/research/research-ethics/review/staff/university-research-ethics-committee/

15. International Personal Data Transfers

15.1 The University will only transfer data within the EEA or to a country or international organisation which has a finding of adequacy of protection for the right and freedoms of data subjects.

15.2 In such circumstances whereby the University cannot demonstrate a finding of adequacy. International transfers to that destination will only take place on condition that:

• The data subject has explicitly consented to the proposed transfer

• It is necessary for the performance of a contract between the data subject and the University

• It is necessary for the conclusion or performance of a contract.

• It is necessary for important reasons of public interest;

• It is necessary for the establishment, exercise or defence of legal claims;

• It is necessary in order to protect the vital interests of the data subject.

16. Personal Data Processed by Third Parties and Suppliers

16.1 Where the University uses third parties and suppliers (to be known as processors in this section) to process personal data. The University shall:

• Use only processors providing sufficient guarantees to implement appropriate technical and organisational measures.

• Seek assurances that processor shall not engage another processor without prior specific or general written authorisation of the controller.

• Processing by a processor shall be governed by a contract in which the processor.

• Only processes the personal data only on documented instructions from the controller.

• Ensures that persons authorised to process the personal data have committed themselves to confidentiality.

• Will comply with measures in Article 32 of the GDPR.

• Assists the controller in the fulfilment of requests exercising the data subject’s rights.

• Deletes or returns all the personal data to the controller after the end of the contract.

• Agree to regular audits by the University.

17. Data Protection Audits

17.1 The University will periodically undertake data protection audits. These will include:

• Auditing of internal policies and procedures

• Auditing of planned projects and changes to systems (via privacy impact analysis)

• Auditing of contractual terms

• Auditing of supplier policies and physical security measures.

Administrator Rights Policy

Download a pdf version

Policy statement

Where necessary for the performance of a user’s role the University shall grant colleagues administrator logon rights on Windows and Mac-based computers. If you have an existing device and would like to request a local administrator account, please do so using this form. These rights allow you to:

• install software

• modify system settings

• manage other users of the device.

It is important that when using your local administrator account, you adhere to the following guidelines to protect the University’s systems, devices and network:

• change your portal password every 90 days, ensuring that it is a strong password of at least 12 characters.

  maintain the integrity of your workstation by not taking excessive risk by installing software from the internet

• always work whilst logged into your standard, non-administrative user account and only use the local administrator account to elevate privileges at the time when you need them

• ensure you do not grant administrator privileges to your standard user account or any other person’s account or domainprovide IT Services with licensing information for any software personally installed, Brookes owned or otherwise, on your device

   

• routinely check that your anti-virus software is updating, checking for and eliminating spyware, or any similar data gathering and reporting software, from your workstations

• do not share your local administrator account details with others

• report any system failures and security issues to IT Services at the earliest opportunity

• keep up-to-date with, and adhere to, all IT policies including, but not limited to, the IT Acceptable Use Policy

• do not interfere with any automatic updating/patching or enforced policies or services performed or provided by IT Services.

The University recognises that by giving colleagues administrative rights and enabling you to manage your workstations, productivity and operational efficiency can be substantially increased. However, Administrator access to a computer can lead to unintended and unauthorised configurations that may cause both you and the IT support service difficulties operationally and potentially legally.

Support for University devices

All University-owned devices that have access to the network, either wired or wireless, are required to be configured to the following standards:

• the device must be a member of a recognised university domain or management system

• the device must have the current required management software installed including, but not limited to, power management, software compliance toolsets, configuration management toolsets. (Management software may vary by device type)

• the device must have active, current and correctly configured anti-virus software

• the device must be patched with operating system and third party vendor patches to a level required by IT Services.

Any customisation of a device to a configuration other than that provided or supported by IT Services will be lost in the event of a computer failure. Its restoration will be to a standard pre-customisation configuration.

Staff responsibilities

The University reserves the right to restore a machine to a standard configuration if that machine is found to be a security risk. In such cases the University will not be responsible for any resultant data losses.

The University reserves the right to decline requests for administrator rights on any device for which access must be restricted due to its function, location or use by multiple users.

Misuse of administrator rights is defined as, but not limited to:

• downloading software that is malicious, by intent or otherwise

• downloading unlicensed/illegal software

• downloading and/or distributing copyrighted material without permission

• permitting public, or unauthorised, access to data that is restricted in nature

• failure to adhere to the policies and procedures outlined above.

Access Control Policy

Download a pdf version

1. Policy Objectives

1.1 To define the requirements of Oxford Brookes University (OBU) to ensure that access to information assets is authorised and subject to identification and authentication controls

1.2 To establish the requirements for controlling access to OBU information or information that it is responsible for, including computing and physical resources. Computer systems, networks and allied hardware and other peripherals are an integral part of our operations and represent substantial investment.

1.3 It is the purpose of the Access Control Policy to ensure that all access to information assets is properly authorised, maintained and reviewed.

2. Policy Scope

2.1 This Access Control Policy shall apply to all access to OBU's information assets.

2.2 All Users provided with access to OBU's information systems shall comply with this Access Control Policy as indicated in the IT Acceptable Use Policy.

2.3 Access to physical and non-physical assets will be governed under the same principles.

2.4 This Access Control Policy shall establish the Logical and Physical Access control requirements for protecting the entire university's information systems and hardcopy data.

3. Policy Statement

3.1 This Access Control Policy forms part of Oxford Brookes University’s information Security Management System (ISMS) Framework as defined in the information Security Policy.

3.2 This policy should be read in conjunction with OBU’s IT Acceptable Use Policy, which summarises what OBU deems to be acceptable use of information systems

3.4 OBU’s information systems are provided for business purposes only and this Access Control Policy is used to ensure that Users:

• Comply fully with current legislation;
• Comply with other relevant OBU policies.
• Do not introduce unnecessary risk to OBU.

3.5 Access allocation shall be monitored to ensure compliance with this Access Control Policy.

3.6 All Users, who use the university's information assets and information systems, shall be responsible for safeguarding those resources and the information the information Owners hold, from disruption or destruction.

3.7 The Access Control Policy shall apply to all Users who have access to the university's information assets, including remote access.

3.8 Failure to comply may result in the offending employee being subject to disciplinary action up to and including termination of employment as per the Information Security Policy.

3.9 The use of the university's information assets and information systems indicates acceptance of this Access Control Policy.

4. Implementation Responsibilities

4.1 Oxford Brookes University IT Services shall ensure that Users are provided with education and training to ensure compliance with this Access Control Policy.

4.2 Oxford Brookes University IT Services shall develop, maintain and publish standards, processes, procedures and guidelines to achieve compliance with this Access Control Policy.

4.3 Annually review the Access Control processes, standards and procedures, to achieve compliance with this Access Control Policy and shall support the Access Control Strategy and provide security specific input and guidance where required.

4.4 IT asset owners and authorised users shall be assigned for each identified IT asset in order to approve or reject requests for access to their system.

4.5 IT asset owners and authorised users shall check the validity of all user access requests to information assets owned by them before implementation.

4.6 IT asset owners and authorised users shall authorise employees requiring access to information assets owned by them.

4.7 Human Resources (HR) shall inform the IT department of users starting, moving and leaving the university.

4.8 All appropriate managers shall authorise any requirement to changes to user's access rights on the information systems.

4.9 Users shall not share access codes and/or passwords, if access to other information systems are required then a formal request shall be put forward for authorisation by an appropriate manager.

4.10 Users shall not share their physical access cards; if physical access to restricted areas is required then a formal request shall be put forward for authorisation by the line manager.

4.11 Users shall be responsible for the security (and secrecy) of their own secret authentication information. In no circumstances is secret authentication information to be shared.

4.12 Users shall ensure incidents are reported and escalated in-line with documented Information Security Incident Management Procedure.

4.13 The University shall be responsible for ensuring all Users of OBU's information systems read and acknowledge the policy principles extracted from this Access Control Policy and included in the Acceptable Use Policy.

5. Policy Principles

5.1 All information assets shall be "owned" by a named individual within OBU.

5.2 A process for user access requests, which mandates the steps to be taken when creating or modifying user access shall be defined, documented, annually reviewed and updated. The scope of this process must include network, application and database access and be applicable to any third party access.

5.3 Access to information assets shall be restricted to authorised employees and shall be protected by appropriate physical and logical authentication and authorisation controls.

5.4 Users shall be authenticated to information systems using accounts and passwords. See OBU’s Password Policy for further details.

5.5 Users are required to satisfy the necessary personal security criteria, as defined by OBUs Recruitment Policy, before they can be authorised to access information assets of a corresponding classification.

5.6 Users who have satisfied all necessary criteria may be granted access to information assets only on the basis that they have a specific need to know, or to "have-access-to", those information assets.

5.7 The classification of an information asset does not, in itself, define who is entitled to have access to that information. Access is further filtered by any applicable privacy restrictions as dictated by other OBU Policies (such as the Data Protection Policy)

5.8 Access privileges shall be authorised by the appropriate information Owner and allocated to employee, based on the minimum privileges required to fulfil their job function.

5.9 Administrator accounts shall only be granted to those users who require such access to perform their job function. Administrator accounts shall be strictly controlled and their use shall be logged, monitored and regularly reviewed.

5.10 Users with administrator access shall only access sensitive data if so required in the performance of a specific task.

5.11 Users with administrator access shall also have an unprivileged account, which shall be used for all purposes not requiring administrator access, including but not limited to electronic mail.

5.12 Line managers, information asset owners and authorised users shall ensure rights and privileges granted to Users of information assets are reviewed on at least every 6 months to ensure that they remain appropriate and to compare user functions with recorded accountability. This shall include access to user accounts, which shall be revoked when they have been inactive for more than 90 days.

5.13 Access shall be granted only to those systems or roles that are necessary for the job function of the user. Regular maintenance will address the management of privilege creep.

5.14 Detailed processes shall be developed and followed for terminating, modifying or revoking an employee's access, as part of the Movers/Leavers process.

5.15 In certain instances, particular access may be required for emergency reasons, such as undertaking emergency system maintenance. Requests for emergency access shall be directed to the OBU Chief Information Officer, or a member of the IT Services Executive, and shall be approved by the information asset owner or authorised user. Requests and approval should be documented, if possible, before the change is required stipulating an expiry period, which shall be enforced, for the access rights. A request for change shall be documented retrospectively where it is not possible to do this in advance.

5.16 All third party access (Contractors, Business Partners, Consultants, Vendors) shall be authorised by an appropriate information Owner and, if necessary, monitored.

5.17 Third Party Access to information assets shall be granted in increments according to business need and identified risks. Information asset owners shall specify access timeframes and be prepared to offer justification for such access.

5.18 Remote access to OBU's networks shall be appropriately authorised on a least privilege basis, with access only granted to systems and resources where there is an explicit business requirement. Only employees of the university or authorised third parties shall be able to connect to the university's corporate infrastructure remotely.

5.19 Only authorised personnel shall be given access to secure areas at the university's premises and any third party premises where sensitive information is processed or maintained, or physical assets are held.

5.20 All access to areas hosting systems that store, process, or transmit sensitive data (e.g. datacentres) shall be controlled, monitored by cameras and logged. Logs shall be regularly audited, correlated with other logs and securely stored for at least three months, unless otherwise restricted by law.

5.21 All visitors shall have authorisation prior to entering any of the university's sites where sensitive data is processed or maintained.

5.22 All visits shall be logged and details of logs retained for a minimum of one month, unless otherwise restricted by law. Reception staff shall be made aware of their responsibility to log every visitor to OBU sites.

5.23 Employees shall challenge and/or report any visitors found unsupervised or acting suspiciously at any site where sensitive OBU data is processed or maintained.

5.24 User account names and actions performed shall be recorded using Audit logging capabilities.

5.25 The IT Services Information Management Team shall maintain plans indicating time schedules of all information security access audits to be performed across OBU to ensure compliance with this Access Control Policy.

5.26 Site management shall perform a formal review of physical access rights at least every 6 months to identify unauthorised or expired access. Access controls shall be revoked in instances where access is no longer necessary for job function.

Information Security Incident Management Policy

Download a pdf version

1. Introduction and Scope

1.1 The University holds a large amount of information in a variety of media, physical and otherwise (including photos and videos). This includes personal and sensitive personal data, and also non-personal information which may be sensitive or commercially confidential (e.g. financial data) and may be subject to legal obligations of confidence, whether contractual or otherwise).

1.2 The University has legal responsibilities both under the Data Protection Act and in respect of its own business (for example, under the common law of confidence) to safeguard information in its control. Care should be taken to protect information, to ensure its integrity and to protect it from loss, theft or unauthorised access.

1.3 In the event of an information security incident (also referred to as a ‘data breach’), it is vital that appropriate action is taken to minimise associated risks. A risk analysis should be performed, factors which need to be considered are:

• The number of individuals affected
• Type of data involved
• Impact (on individuals, the University or its contractors)

1.4 Any member of staff, student, contractor or pseudo-employee discovering or suspecting an information security incident must report it in accordance with this policy.

2. What is an information security incident?

2.1 An information security incident in an event whereby data held by the University, in any format, is compromised by being lost, destroyed, altered, copied, transmitted, stolen, used or accessed unlawfully or by unauthorised individuals whether accidentally or on purpose. Some examples:

• Loss, or theft of equipment on which data is stored, e.g laptop or mobile phone

• Unauthorised access to data

• Human error, e.g. emails to wrong recipient; public posting of confidential material online; incorrect sharing of Google documents

• Failure of equipment or power leading to loss of data

• Hacking attack

• Data maliciously obtained by way of social engineering (an attack in which a user is ‘tricked’ into giving a third party access, often by purporting to be someone other than they actually are)

2.2 Information security incident reporting also includes instances of ‘near misses’ and identification of vulnerabilities where IT Services considers there is a high likelihood of an actual incident occurring.

3. Reporting of the breach

3.1 All Information security incidents should be reported immediately to The IT Service Desk (via phone on ext. no. 3311, or the Service Desk web Portal), as the primary point of contact.

3.2 The report should include full and accurate details of the incident, including who is reporting the incident; what type of data is involved (not the data itself unless specifically requested); if the data relates to people and if so, how many people are involved.

3.3. The IT Services Information Management team is responsible for maintaining a confidential log of all information security events..

4. Investigation and Response

4.1 The Information Management team will consider the report, and where appropriate, instigate a Response Team. IT Services will lead the Response team and membership will depend on the type and severity of the incident. The response team will be responsible for investigating the circumstances and effect of the information security incident. An investigation will be started into material breaches within 24 hours of the breach being discovered, where practicable.

4.2 The investigation will establish the nature of the incident, the type of data involved, whether the data is personal data relating to individuals or otherwise confidential or valuable. If personal data is involved, associated individuals must be identified and, if confidential / valuable data is concerned, what the legal and commercial consequences of the breach may be.

4.3 The investigation will consider the extent of the sensitivity of the data, and a risk assessment performed as to what might be the consequences of its loss. This will include risk of damage and/or distress to individuals and the institution.

4.4 The response team is responsible for formally documenting the incident and associated response. This information will (as a minimum) be subject to review by the Oxford Brookes University Information Security Working Group (ISWG) with serious incidents reviewed by the Chief Information Officer and other senior managers.

5. Containment and Recovery

5.1 The Response Team and IT Services Lead will determine the appropriate course of action and the required resources needed to limit the impact of the breach. For instance this may require isolating a compromised section of the network; alerting relevant staff or contractors; changing access codes/locks or shutting down critical equipment.

5.2 Appropriate steps will be taken to recover data losses and resume normal business operation. This might entail attempting to recover any lost equipment, using backup mechanisms to restore compromised or stolen data and changing compromised passwords.

5.3 For incidents that involve a suspected or actual criminal offence all efforts will be made to preserve evidence integrity.

6. Escalation & Notification

6.1 The details of the escalation and notification process are schematised in the appendix. A summary of this process is provided below.

6.2 The information management team is responsible for initial assessment of an incidents severity based on the scope, scale and risk of the incident.

6.3 This preliminary decision is then reviewed by the CIO and/or Director of IT Strategy, Information Management and Business Partnerships.

6.4 If at this stage the incident is deemed serious then the University Senior Management Team will be notified.

6.5 If a personal data breach has occurred of sufficient scale The Information Management team will notify the Information Commissioner’s Office (ICO) within the prescribed statutory time limits and manage all communications between the University and the ICO.

6.6 If the breach is deemed of sufficient seriousness (in line with ICO guidance), and concerns personal data, notice of the breach will be made to affected individuals to enable them to take steps to protect themselves. This notice will include a description of the breach and the steps taken to mitigate the risks, and will be undertaken by the Response Team. Liaison with the Police or other authorities may be required for serious events.

7. Review

7.1 Once the incident is contained a thorough review of the event will be undertaken by the Response Team, to establish the cause of the incident, the effectiveness of the response and to identify areas that require improvement.

7.2 Recommended changes to systems, policies and procedures will be documented and implemented as soon as possible thereafter. Targeted training may be offered to the department affected.

7.3 All information security incidents will be subject to summary review by the ISWG so that any weaknesses or vulnerabilities that may have contributed to the incident can be identified, documented and resolved.

Password Policy

Download a pdf version

1. Statement of Policy

1 Introduction and Policy Objectives

1.1 The purpose of this Password Policy is to protect Oxford Brookes University (OBU) information assets from unauthorized use, and possible accidental or intentional misuse, through weak password security practice.

1.2 The policy applies to all users (students, staff, consultants, contractors and visitors) who have been given access to OBU information and communication systems or who are using third-party systems or services which have been contracted for by OBU.

1.3 On joining OBU staff shall be required as part of their terms and conditions that they will keep all personal secret authentication information private and keep any group secret authentication information solely within the members of the group.

2 Password Creation

2.1 All user-level and system-level passwords must conform to current best practice guidelines (so called, ‘strong’ passwords). For further information please contact the IT Service Desk, however in general ‘strong’ passwords have the following characteristics:

• Contain both upper and lower case characters (e.g., a-z, A-Z)

• Have digits and punctuation characters as well as letters e.g. 0-9, -_.!~*()

• Are at least twelve alphanumeric characters long

• Are not based on personal information, names of family, etc.

2.2 Users must not use the same password for OBU accounts as they do for personal / non-OBU accounts.

2.3 Where possible, users must not use the same password for different accounts.

2.4 User accounts that have system-level privileges granted through group memberships, or programs such as Sudo, must have a different password from all other accounts held by that user to access system-level privileges.

3 Password Change

3.1 Users must abide by local or application-specific guidelines on the frequency of password changes. Changing passwords in itself is not a guarantee of security.

4. Password Protection

4.1 Passwords must not be shared with anyone (including other OBU staff). All passwords are to be treated as sensitive and confidential OBU information.

4.2 Do not write passwords down and store them in your office or place of work. Do not store passwords in a computer file unless the file itself is encrypted.

4.3 The use of ‘remember my password’ in applications (e.g. browsers) is not recommended for OBU passwords.

4.4 Any user that suspects their password may have been compromised must change it and inform the IT Service Desk immediately.

4.5 The use of password manager (also known as password vault) applications is permitted. For further information please contact the IT Service Desk.

5. Multi-Factor Authentication

5.1 It is recommended that users enable multi-factor authentication functionality on all system accounts where available

6. Application Development

6.1 Application developers must ensure that their programs contain the following security precautions:

Applications must support authentication of individual users, not groups

Applications must not store passwords in a reversible form and use PBKDF2 where possible.

All password hashes must be salted.

Applications must not transmit passwords in cleartext over the OBU network.

Network Security Policy

Download a pdf version

1. Introduction and Policy Aim

1.1 This document defines the Network Security Policy for Oxford Brookes University (OBU). The Network Security Policy applies to all network hardware, services on the network and network attached systems.

1.2 For the purpose of this policy a network is defined as Oxford Brookes University’s connected (physically and wirelessly) data network that allows computing devices (including phones) to exchange data.

1.3 The aim of this policy is to ensure the security of the network. To facilitate this, the university shall:

• Protect assets against unauthorised access or disclosure (Confidentiality)

• Protect the network from unauthorized or accidental modification and ensure the accuracy and completeness of data assets (Integrity)

• Ensure the network is accessible how and when users need it (Availability)

2. Policy Objectives

2.1 To protect all hardware, software and information assets under its control. This will be achieved by implementing a set of well-balanced technical and non-technical measures.

2.2 To provide effective protection that is commensurate with the risks to OBU network assets.

2.3 To implement the policy and associated procedures in a consistent, timely and cost-effective manner.

2.4 To ensure OBU is compliant with all relevant legislation, including (but not limited to:

• The Data Protection Act 2018

• Computer Misuse Act 1990

• Human Rights Act 1998

• Freedom of Information Act 2000

• Electronics Communications Act 2000

• Copyright, Designs & Patents Act 1988

3. Physical & Environmental Security

3.1 Network equipment (principally routers, switches and servers) shall be housed in a controlled and secure environment. Critical or sensitive network equipment will be housed in an environment that is monitored for temperature, humidity and power supply quality.

3.2 Critical or sensitive network equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls.

3.3 Critical or sensitive network equipment will be protected from power supply failures and protected by intruder alarms and fire suppression systems.

3.4 Smoking, eating and drinking is forbidden in areas housing critical or sensitive network equipment.

3.5 All visitors to secure network areas must be authorised by an appropriate manager.

3.6 All visitors to secure network areas must be made aware of network security requirements.

3.7 The movement of visitors to secure network areas must be recorded. The log will contain name, organisation, purpose of visit, date, and time in and out.

3.8 The Network Manager, or appropriate deputy, shall ensure that all relevant staff are made aware of procedures for visitors and that visitors are escorted when necessary.

4. Access Control to the Network

4.1 Access to limited-access network services shall be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access. Remote access to the network will be via the University’s remote access software.

4.2 Departmental business managers will approve user access to systems including network access via standard staff joiner/leaver processes.

4.3 Access rights to network services will be allocated on the requirements of the user's role, rather than on a status basis.

4.4 All users users of network services will have their own individual user identification and password.

4.5 Users are responsible for ensuring their password is kept secret (please see OBU’s Password Policy for further details).

4.6 User access rights shall be removed or reviewed for those users who have left the University or changed roles as soon practically possible.

5. Third Party Access Control to the Network

5.1 Third party access to network systems, services, hardware and network attached systems shall be based on a formal contract that satisfies all necessary security conditions.

5.2 All third party access to network systems, services, hardware and network attached systems must be logged.

5.3 For further information please refer to the University Third Party & Supply Chain Management Policy

6. Maintenance and Fault Management

6.1 The Network Manager will ensure that adequate maintenance contracts are maintained and periodically reviewed for all network equipment.

6.2 The Network Manager is responsible for ensuring that a log of all faults on network systems and equipment is maintained and reviewed.

6.3 OBU shall ensure that timely information regarding the technical vulnerabilities of information systems is obtained. Any vulnerability will be assessed and any risks will be appropriately controlled.

6.4 The use of privileged utility programs that may be capable of overriding system and application controls shall be controlled and restricted.

6.5 Operational software shall only be installed by authorised system administrators and authorised third-parties (see section 5).

7. Network Operating Procedures

7.1 Documented operating procedures should be prepared for the operation of network services and systems, to ensure their correct, secure operation.

7.2 Changes to operating procedures must be authorised by the Network Manager.

8. Data Backup and Restoration

8.1 The Network Manager is responsible for ensuring that backup copies of network configuration data are taken regularly.

8.2 Documented procedures for backup processes and storage will be produced and communicated to all relevant staff.

9. User Responsibilities, Awareness and Training

9.1 The University will ensure that all users of network systems, services, hardware and network attached systems are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities.

9.2 All users of network services and systems must be made aware of the contents and implications of the Network Security Policy.

9.3 All users must ensure that they protect the network from unauthorised access. They must log off the network when finished working.

9.4 Irresponsible or improper actions by users may result in disciplinary action

10. Protection against Malware

10.1 Software to protect against malware should be installed on all client devices including mobile computing assets.

10.2 Software used to protect University systems against malware shall be regularly reviewed and updated.

10.3 Procedures on dealing with malware protection and attacks shall be developed and documented together with appropriate business continuity plans.

11. Clock Synchronisation

11.1 All network systems and services shall be synchronised using ntp.brookes.ac.uk

12. Logging & Monitoring

12.1 Adequate event logs recording network activity, exceptions, faults and information security events shall be produced, kept and regularly reviewed.

12.2 Logging facilities and log information shall be protected against tampering and unauthorised access.

12.3 The activity of privileged users shall be logged and the logs protected and regularly reviewed.

Information Sharing & Transfer Policy

1 Introduction

1.1 The University holds a large amount of information, both in hard and soft copy. This includes personal and sensitive personal data (as defined by the UK Data Protection Act, 1998), and also non-personal information, which could be sensitive or commercially confidential (e.g. financial data).

1.2 It is sometimes necessary when we are working with partner organisations or other institutions or on collaborative projects, to share personal data or information with those institutions or partners. This might entail:

• The University may receive personal information from the institution or partner

• The University may send personal information to the institution or partner

• A request for personal information held by one or both of us

1.3 These partners might be our partner colleges or universities, or other institutions with whom we have a relationship. We may or may not have a formal contract with these institutions or partners. We must also consider the legislative implications that this might have on us at the university.

2. Information Sharing

2.1 Disclosures of information should be relevant, proportionate and lawful.

2.2 All regular sharing of information to the same source should be governed by a data sharing agreement which sets out the protocols for:

• What data is to be shared

• For what purpose

• Legal justifications for sharing

• Benefits and risks of sharing

• Information lifecycle (retention and disposal)

• Responsibilities and liabilities in the event of information security incidents

• Agreed methods of transfer

• Appropriate audit trails and governance

• Appropriate ID and background checks (where applicable)

3 Methods of Transfer

3.1 Electronic Documents

3.1.1 Sufficiently secure methods must be used when transferring personal data.

3.1.2 In the case of confidential and/or sensitive data it is recommended that data is encrypted to an acceptable standard (i.e. compliant with FIPS 140-2 (cryptographic modules, software and hardware) and FIPS 19) prior to transfer and protectively marked.

3.1.3 Encryption passwords must not be relayed using the same communication channel as the data.

3.1.4 An audit trail of all transfers must be maintained in line with the retention policy.

3.1.5 If transfer is by email, information must be sent to named persons where possible, the use of group mailboxes is to be avoided.

3.1.6 Information no longer in use by either party must be securely deleted.

3.2 Hardcopy Documents

3.2.1 All hardcopy data must be posted using the University's approved mail delivery company.

3.2.2 All confidential and/or sensitive data must be identified and sent with the appropriate level of tracking via University’s approved mail delivery company.

3.2.3 Personal information must be labelled ‘private and confidential’ and ‘addressee only’ where appropriate.

Information Classification Policy

Download a PDF copy

1. Purpose

This policy establishes a framework for classifying work-related information (information) in order to:

• promote the safe transmission and sharing of information with legitimate parties.

• reduce the risk of harm to the confidentiality, integrity and availability of information processed by or on behalf of the Oxford Brookes University.

• advance the University’s compliance with ISO 27001:2013 standards (Clause

7.2.1).

2. Scope

This policy covers all types of handling, sharing (processing) and storage of information, including teaching, research, commercial and non-commercial activities as well as administration carried out directly for the University, any affiliates or partners, or by the University on behalf of another organisation.

There is a separate guidance policy for security sensitive material.

The Oxford Brookes University Information Classification Policy will apply to either an instance or regular information sharing, save where the law or other written agreement provides otherwise.

3. Information classification

(Examples of how to apply the classification markings are found at 5. below and Appendix 1.)

All information falling within the scope of the policy must be classified in accordance with the following categories: ‘Confidential’; ‘Restricted’; and ‘Public’.

The following classifications are generally available for application:

Confidential:

This information has a significant value for Oxford Brookes University, another organisation or individual. Wrongful disclosure could impact the reputation or standing of an organisation or an individual, the safety of an individual or could cause significant financial loss. Information of this type is shared on a “need to know basis” only. This classification will include Special Category of Personal Data as defined in Data Protection Law (see Appendix 1). Large amounts of datasets of information which would otherwise be classified as “Restricted” were it a smaller amount, may become classified as “Confidential” by merit of the quantity of data involved. If in doubt as to whether a dataset is large, query this with the Information Security team by email using info.sec@brookes.ac.uk

Restricted:

This information can be shared appropriately with a limited audience, usually but not exclusively within the University. Some of the features attributed to “Confidential” information apply, yet the implications associated with sharing this information are less serious. This information could be financial or commercial value, or be subject to intellectual property, trademark or other legal protection. It would be likely to include emails and document containing personal data.

Public (or unclassified):

This information can be readily shared and publicly available. It could be on the Oxford Brookes University website with no adverse consequences for any organisation or individual.

4. Responsibility for classifying information

Anyone who is the author of information, or involved in processing information is responsible for ensuring that it is appropriately classified. Should anyone receive information which is not classified as it should be, that recipient becomes responsible for ensuring that any information is classified at that stage, in consultation with the relevant data owner.. This can be achieved either by reverting to the source or by classifying it on receipt, whichever is appropriate in thecircumstances.

5. Guidance

5.1 How to apply the classification marking

Consider all relevant factors when classifying documents which are set out in the respective classifications and examples in Appendix 1 and apply the appropriate classification marking: Confidential, Restricted or Public.

5.2 Transmitting and sending information

Please apply the Information Sharing and Transmission Policy when transmitting or sending information found at www.brookes.ac.uk/it/information-security/policies-procedures-legislation

5.3 The storage and retention requirements

Any documents or data must be classified whether saved digitally or stored manually. (It is good practice for a document or data to contain a date, as well, to facilitate applying the Retention Policy.)

Any document or data which is classified as “Confidential” or “Restricted” must be handled in accordance with the Oxford Brookes Information Handling Guidelines.

Appendix 1

Examples of how to classify different types of information are included in this table. This list is neither exhaustive nor prescriptive, it is included as an aid.

Appendix 2

Additional Factors to consider when classifying information:

• Where information is not classified and is not in the public domain already it should be treated as “Confidential” and afforded the highest levels of protection pending classification.

• Where information is held, handled or shared regularly or there is a large amount of data being processed either by or on behalf of another organisation, a contract or Information Sharing Agreement should cover the processing. This document is a legal requirement. It should set out which organisation’s Classification Policy applies (as well as covering other issues).

• Certain professions or functions have a regulatory body which stipulate how work-related information must be handled (e.g. occupational health, social services, research). In the unlikely event of any conflict within this policy and any guidance from a professional body, please raise this with the IT Services Information Security team by email using info.sec@brookes.ac.uk

• Where material contains characteristics of more than one classification, the entire document or all data is afforded the most protective marking.

• Databases or stored information classified as containing “Public” information must not contain any “Restricted” or “Confidential” information, except where the confidential parts have been redacted, or protected. The Restricted or Confidential information must be unavailable. This redaction can be achieved by e.g pseudonymisation de - identification, anonymisation or obfuscation.

• Any restricted or confidential elements of the information must be stored separately and given the relevant classification and protection relevant to their content.

• The classification of information may change over its lifespan, as its value to the University or to an individual changes.

Mobile Computing and Remote Access Policy

Download a PDF copy

1 Introduction and Policy Objectives

1.1 This document specifies the University policy for the use, management and security of any mobile computing devices (‘mobile device/s’) that may hold University data.

1.2 This policy applies to both mobile devices issued and owned by Oxford Brookes and personally owned mobile devices (also known as ‘BYOD’).

1.3 This policy also stipulates requirements for remote access to secure University systems, whether by mobile or non-mobile computing devices.

1.3 The policy applies to all users (staff, associates, consultants, contractors and visitors) who have been given access to Brookes’ information and communication systems or information assets (herein ‘users’). This policy only applies to students that are carrying out an official function on behalf of the University.

2 Definitions

2.1 Mobile devices that may hold University data include, but are not limited to:

• Laptop computers and netbooks

• Tablets

• Smartphones

• Portable storage devices (e.g. external hard drives, USB ‘thumb drives’ and memory cards).

2.2 University ‘issued and owned’ devices includes any device purchased, owned or leased by the University regardless of the source of funding.

2.3 Remote access refers to the ability of a user to directly access a Brookes’ computer, information and communication system or information asset from an offsite or other, non-secure, location.

3 Mobile Device Policy - Technical Requirements

3.1 IT Services is responsible for determining minimum security requirements for mobile devices. Minimum security requirements will be communicated to users through advice given by IT Services staff and published guidance, in particular the Information Handling Guidelines.

3.2 Mobile devices shall be updated in accordance with vendor recommendations and only use operating systems supported by the vendor.

3.3 Mobile devices must store all user-saved passwords in encrypted form.

3.4 ‘Jailbreaking1’ or ‘rooting1’ of University owned mobile devices is strictly forbidden. Personally owned devices that are ‘jailbroken’ or ‘rooted’ must not be used to access University systems or store University data.

4. Mobile Device Policy - User Responsibilities

4.1 Users are responsible for ensuring appropriate physical security controls are applied. These may include, but are not limited to:

• Logical ‘locking’ of unattended mobile devices (with a PIN, password or bitometric ID required to unlock the device).

• Secure physical storage of devices when not in use, e.g. in locked cupboards, drawers or cabinets.

• Care should be taken when travelling with mobile devices, e.g. not leaving devices unattended when offsite and keeping devices locked in the the boot of a car.

4.2 Users must report any lost or stolen mobile devices to IT Service immediately. Users must also notify IT Services if they have reason to believe a mobile device has been compromised or tampered with.

4.3 Users must ensure the use of mobile devices is in accordance with the Brookes’ IT Acceptable Use Policy.

4.4 Applications must only be installed from official vendor platforms (‘app stores’). Users must not install applications from untrusted sources without prior approval from IT Services.

4.5 Users must ensure devices receive updates and security patches according to vendor recommendations.

4.6 Users must consider the risk of storing or accessing University data using mobile devices. The storage of confidential University data on mobile devices is not recommended unless enhanced security controls are applied, e.g. device encryption. For restricted or confidential data users should seek advice from IT Services and subsequent approval from line management and / or appropriate data owners.

1 To ‘jailbreak’ or ‘root’ a mobile device is to remove the limitations imposed by the manufacturer. This gives direct access to the devices operating system and increases the risk of compromise by malicious software or agents.

4.7 Users shall take care when using personally owned mobile devices to ensure that University data is not stored or shared using personal accounts. Such usage may constitute an information security incident or breach of the Data Protection Act 2018 and should be reported to IT Services immediately.

4.8 Users must delete University data from mobile devices (whether University owned or personally owned) when the data is no longer needed for business purposes.

4.9 When users leave the University mobile devices owned by the University must be returned to IT Services (this may be via line management or other channel depending on local procedure). IT Services are responsible for either wiping and re-imaging devices for subsequent use or arranging secure collection and disposal.

4.10 When leaving the University it is the responsibility of users to ensure all University data is deleted from personally owned mobile devices (after transferring any necessary data to University-managed systems) and that tools or applications that access University systems are removed or reset. Users should be aware that inappropriate access to University data or systems after termination of employment could constitute a criminal offence.

5. Remote Access Policy

5.1 Users must only use remote access tools and solutions installed or approved by IT Services.

5.2 Remote access to University systems provided to third party suppliers and contractors must comply with the requirements of the Brookes’ Network Security Policy.

5.3 IT Services and / or relevant information asset owners reserve the right to refuse remote access to University systems at their discretion.

6. Policy Enforcement

6.1 Non-compliance with this policy could result in the initiation of disciplinary procedures against users. Under certain circumstances, failure to comply with this policy may constitute a criminal offence under the Computer Misuse Act 1990 and / or the Data Protection Act 2018.

6.2 Non-compliance with this policy by contractors or third-party suppliers may constitute a breach of contract.

6.3 Users must provide reasonable cooperation with IT Services to enable access, inspection and other appropriate actions in relation to their University owned mobile devices.

6.4 In the event of a high-severity security or data protection incident IT Services may request access to personally owned mobile devices, especially where:

• The mobile device is believed to have caused the incident

• The mobile device is believed to either store University data or has been used to access University data.

7. Related Policies & Guidance

7.1 Related policies include, but are not limited to the following University policies and guidance documents:

• IT Acceptable Use Policy

• Data Protection & Privacy Policy

• Network Security Policy

• Information Classification Policy

• Information Handling Guidelines

• Disciplinary Policy

7.2 The main IT Services contact for users will be the IT Service Desk. The IT Service Desk can be contacted:

• by telephone - 01865 483311 (or 3311 internally)

• using the self-service portal - https://service.brookes.ac.uk

7.3 The IT Services Information Security team may be contacted directly at info.sec@brookes.ac.uk

Third Party Supplier Security Management Policy v1.0

Download a PDF copy

1. Purpose

The objective of this Policy is to protect any information assets or data belonging to Oxford Brookes University to which third party supplier access (or potential access) is given. Compliance with this Policy contributes to the University meeting its governance requirements, including compliance with the Data Protection Act 2018, the General Data Protection Regulations and the ISO27001:2013 information security management standard.

2. Scope

2.1 This Policy sets out the requirements which must be adhered to when engaging any third party which has access to any information assets or information which belongs to the University and how the University will monitor compliance. It covers the supply of goods and services including the appointment of contractors.

Arrangements

2.2 This Policy applies to any type of contractual or other arrangement (agreement/s) where there is data processing or access to critical systems which support the data processing functions of the University.

Examples of arrangements include:

• commercial and non-commercial activities

• administration carried out directly for the University, including any affiliates or partners, or by the University on behalf of another organisation.

An information asset is any data, device, or other component of the environment that supports information-related activities and has a value to the University. (The value may be financial or be relevant to the reputation of the University for example.) Information assets include databases, electronic file storage, web platforms and personal computers as well as documents, filing cabinets and premises. Examples of critical systems affected by this Policy are:

• Student record systems

• Human Resources systems

• Finance systems

• Incident reporting systems

• ICT network systems

These arrangements may be evidenced by procurement documentation; contracts; information sharing agreements; confidentiality agreements; licences; or otherwise.

Data

2.3 The Policy applies to all data in the scope of 2.2 above.

This includes:

• Personal Data

• Special Category personal data

• Commercial or non-commercial data irrespective of its format (digital or paper).

This policy applies equally to Confidential, Restricted or Public Data (as defined in the Oxford Brookes Information Classification Policy).

Staff

2.4 The Policy applies to all staff including: contractors, temporary staff and third parties employed directly and indirectly by the University and any third party (to include subcontractors and affiliates) which may or does enter into an Arrangement with the University. Staff acting for and on behalf of the University and staff acting for and on behalf of any Third Party are responsible for ensuring the implementation of this Policy.

2.5 The Policy should be brought to the attention of any Third Party by the University during any procurement exercise or whenever an arrangement is entered into when the Policy has application. It should form part of the procurement and supply/purchasing procedure of the University.

3. Context

3.1 In the unlikely event of a conflict between a contractual, policy or other requirement, the conflict should be raised with both IT Services and Legal Services for resolution.

3.2 The Policy should be adhered to in conjunction with other relevant Brookes’ policies as well as any other relevant Regulations, Guidance, law, protocol or Agreement contractual or otherwise (such as procurement requirements) applicable to any arrangement. The University Regulations can be found at www.brookes.ac.uk/regulations and the IT policies can be found at

www.brookes.ac.uk/it/information-security/policies-procedures-legislation

There may be industry best practice or other requirements which must be adhered to. Relevant legal provisions include, but are not restricted to: procurement, data protection, health and safety.

3.3 The requirements of the Policy subsist until any procurement exercise or arrangement

is ended, subject to any legal, policy (such as data retention periods) and other requirements (such as contractual or licence provisions).

4. Access Control

Identification and control of risk by assessment

4.1 The University will assess the risks posed to any information, information assets or system posed by allowing third parties access or involving third party suppliers.

4.2 As part of the risk assessment, the University will define the different types of information access that a supplier will be allowed. This is restricted to what is required to complete the task (‘data minimisation’).

4.3 Any third party allowed access to University systems, information assets or data will be given details of how their access will be audited and controlled in accordance with policy such as the Access Control Policy found at www.brookes.ac.uk/it/information-security/policies-procedures-legislation/

5. Risk Management

5.1 All third parties who are given access to the information, information systems or information assets belonging to the University must agree to demonstrate compliance with all relevant information security policies, guidelines and procedures, as well as the law.

5.2 University staff within the Faculties and Directorates (in conjunction with IT Services where appropriate) will assess and record any risks posed to its Information Assets and from business processes involving third parties. Any identified risks must be documented and efforts made to minimise that risk and/or determine if it is acceptable to the organisation.

Where a third party is processing significantly large volumes of personal data or other high-risk data processing a Privacy Impact assessment should be completed in addition to a standard information risk assessment.

5.3 Records of identified risks must be reviewed during the lifetime of the arrangement with the third party in the event that there is an indication that the exposure to risk may or have changed. Any reviews and outcomes must be recorded.

5.4 Oxford Brookes University will determine the level of access as well as the duration of access that third parties may have to Information Assets and Critical Systems based in part on the identified risks as well as any other relevant factors.

5.5 On written request, the third party must provide details of organisational and technical security controls in use which are relevant to the data processing or access.

5.6 The third party shall ensure that the University Information Assets Information and critical systems are appropriately protected and that this is monitored to prevent unauthorised access or use of University information assets.

6. Legal Requirements and written agreements

6.1 The University must consider whether it is appropriate to complete a Privacy Impact Assessment to determine whether information sharing is lawful for new projects and procurement exercises.

6.2 Any supplier of a pre-defined critical system must sign and adhere to the Information Security Agreement or contract in place for suppliers.

6.3 An Information Sharing Agreement should be completed where there are regular or significant quantities of data being shared with a third party to document the process, unless this is explicitly covered in a written contract. Information Sharing Agreements should be approved by both the IT Services Information Security team prior to authorisation and signing via Legal Services.

6.4 Contracts should cover all appropriate information sharing and security arrangements and requirements. Please see appendix 1 for further details.

6.5 The University is required to consider the legal basis for sharing personal data with any third party and record the same. If the ground for sharing personal data is found to be because it is in the legitimate interests of the University then a legitimate interests assessment should be completed by the IT Services Information Security team.

6.6 Permission to access Information Assets or business processes can be agreed in the absence of appropriate and satisfactory compliance with this policy in the event of an emergency, exceptionally, or where this is agreed as genuinely impractical by the Vice Chancellors Group or a Director / Head of Department (advice and guidance to be provided by IT Services Information Security team).

6.7 Compliance should be recorded by the University. If advice or support is needed to confirm what is required in any given situation please contact info.sec@brookes.ac.uk

7. Human Resources Security

Pre - employment screening for third parties, sub -contractors and affiliates

7.1 The third party is responsible for ensuring that the information security roles and responsibilities of all third parties and any subcontractors or affiliates are clearly defined and documented and that this information can be made available to the University where required.

7.2 The third party can show that, at their own cost, all appropriate pre-employment checks have been carried out. This includes: checking references, qualifications, appropriate financial probity and criminal conviction and rights to work checks (when it is both lawful and appropriate that these should be carried out). All staff must have the pre-requisite skills and qualifications and training for a given role.

During employment

7.3 The third party can show that their staff are:

• subject to suitable and comprehensive induction requirements

• have access to any ongoing training covering information security and any other issues relevant to the role

• subject to codes of conduct protect any information or information assets belonging to the University. These codes of conduct incorporate sanctions when necessary.

• compiling a complete asset inventory which is available for inspection

• ensure staff are complying with access and security requirements (including ID passes etc.)

7.4 The third party shall consult with the University prior to the event of any personnel changes.

Termination of employment

7.5 The third party will follow the University’s policies at termination or suspension of employment to ensure that access to secure premises systems or information assets are terminated appropriately and access is denied promptly.

8 . Review

8.1 (a) The responsibility for managing supplier relationships must be assigned to an designated individual or team.

8.1 (b) In conjunction with the University the third party must also identify a designated individual or team to manage the contract and and be:

• prepared to be audited in accordance with University requirements (as defined by policy and relevant legislation)

• monitor contract performance levels to verify adherence to any agreements

• provide information/audit data about any security incidents (or near misses)

• preempt, identify and resolve problems by anticipating security events and operational problems as well as learning from experience

• ensure that the third party maintains a sufficient service capability and workable plans to achieve the contractual requirements and maintain business continuity.

Other obligations

Malware and data security protection

8.2 In the event that the third party has reason to be concerned about any actions of their employees, or the procedures in place, that could compromise the confidentiality, integrity or security of the information or information assets belonging to the the University then the third party will advise the University immediately.

8.3 The third party will notify the University immediately if it becomes aware of any malware or security concerns relating to their own systems which have not been automatically corrected or quarantined and shall provide written details of protective measures taken.

8.4 Any “near miss” or actual data protection breaches which could or did compromise the confidentiality integrity or security of University Data must be reported by the Third Party to the IT Services Information Security Team at once on info.sec@brookes.ac.uk.

9. Third party supply chains

9.1 The third party must supply full details of any subcontractors that it intends to use in the provision of services prior to engagement.

9.2 In addition to providing the company name, address and location of the company, it is the responsibility of the the third party to ensure that:

• the subcontractor has entered into any of the prerequisite written agreements required by the University

• any subcontractor complies with the same requirements as the third party

• the third party must check that these requirements have been fulfilled

• the third party must provide both the assurance and evidence requested by the University as the law allows and the University requires

• the third party must complete an information security risk assessment to the satisfaction of the University prior to allowing access to the subcontractor to any of the University’s Information Assets systems or information

• the third party will conduct security reviews on any subcontractors at the instigation of the University or in any event in accordance with contractual requirements.

10. Managing changes to supplier services

10.1 Mechanisms must be in place to manage changes to supplier services when changes can occur.

10.2 The risk assessment carried out at procurement stage should cover the implications of any changes of supplier services and needs to be revisited during the lifetime of the contract. Where services are critical, how to manage those changes must be addressed as part of business continuity planning.

Monitoring review and auditing third party contracts

10.3 Oxford Brookes University must regularly review and audit service delivery to ensure that changes with supplier services are managed. This is to protect both normal business and business continuity in every day and exceptional circumstances. The frequency of the monitoring needs to be fixed at procurement stage and it will depend on the goods and services provided as well as the proposed duration of any arrangement. Any audit findings should be recorded, this should include how any non-conformities or areas of non-compliance which are identified will be addressed including agreed remedies and timeframes.

10.4 Another function of the review / audit is to provide updates about any information security incidents and these must be reviewed in the light of any legal requirements (There may be separate contractual consequences, investigations or other legal remedies which could arise out of any findings).

11. Cost of compliance

11.1 Suppliers and third parties need to manage any additional costs in relation to compliance. This includes any Third Parties’ obligations under data protection law, or risk assessment. The University is not expecting to warrant or indemnify against any possible breach of data protection law by third parties.

10.2 The University is not expecting to accept contract/agreement price increases from suppliers, should new systems or processes be required to implement the policy or Legislation.

APPENDIX 1

This is the checklist to be used by the IT Services Information Security Team in conjunction with the procurement team and legal services, to make sure that any proposed contract or information sharing arrangement is compliant with this policy, data protection principles, laws and ISO27001:2013:

Compliance with General Data Protection Regulation Principles:

Is the personal data in scope:

a) Processed lawfully, fairly and in a transparent manner in relation to the data subject.

• identify lawful basis of processing (including special category data)

• if processing using ‘consent’ is it freely given, unambiguous and informed?

• if processing using ‘legitimate interests’ has a legitimate interest assessment been completed?

• will the data subjects have a reasonable expectation that data will be processed in this way. Is processing covered by existing privacy notices? If not, check if the existing privacy notices need to be amended.

• does the project / process involve any international data transfers? If yes, do they meet GDPR requirements?

b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

d) Accurate and, where necessary, kept up to date.

e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed:

• does personal data in scope need to be retained for defined statutory period?

• if not, how is operational necessity defined?

f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

• Is the supplier / partner ISO27001 certified?

• If not what other evidence can they provide of information security best practice?

• Are data flows to and from Brookes secure?

• Are operational security controls adequate?

Third Party Processor Contract Compliance

Any contract must make reference to:

• a right to audit

• prompt notification about security breaches

• adherence to security practices

• response time to vulnerabilities

• Management of supplier’s supply chain risks - consent in advance from the University must be secured before a third party can be included in the supply chain

• How the Oxford Brookes University will be informed regarding changes in its environment that may impact the Brookes business and how services will be maintained.

APPENDIX 2

This checklist sets out the minimum requirements that must be met by a third party supplier.

APPENDIX 3

Below are some sample clauses which can be included in contracts to address information security and ensure compliance with UK data protection and privacy legislation. The clauses will need to be amended and numbered.

Particular care needs to be taken when identifying the roles: controller, processor or joint

controllers of data. This matters because role dictates the contractual responsibilities. In the draft clauses, Party X is the data controller and Party Y is the data processor.

Definitions

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures: as defined in the Data Protection Legislation.

Data Protection Legislation: the UK Data Protection Legislation and any other European Union legislation relating to personal data, regulatory requirements, guidance and codes of practice.

UK Data Protection Legislation: all applicable data protection and privacy legislation in force in the UK including regulatory requirements guidance and codes of practice.

1. DATA PROTECTION

1.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This includes and is not restricted to providing details of Data Protection Officers and Privacy Policies.

1.2 The parties agree that for the purposes of the Data Protection Legislation, X is the Controller and the Y is the Processor. [Schedule [NUMBER] sets out the scope, nature and purpose of processing by the Provider, the duration of the processing and the types of Personal Data and categories of Data Subject.

1.3 X will ensure that the grounds for processing are identified and that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Y [and/or lawful collection of the Personal Data by Y on behalf of X for the duration and purposes of this agreement.

1.4 Y shall:

a) process any Personal Data only on written instructions of X [which are set out in [Schedule [NUMBER]

b) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by X to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data The parties will have regard to the state of technological development and the cost of implementing any measures. Those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it;

c) ensure that all personnel who have access to and/or process Personal Data are suitably trained and are obliged to keep the Personal Data confidential; and

d) will not transfer any Personal Data outside of the European Economic Area unless the prior written consent of X has been obtained. Y will ensure the data subjects have enforceable rights and effective legal remedies; and that an adequate level of protection to any Personal Data that is transferred is provided and make this information available to X; and

e) will comply with all reasonable written instructions from Y

f) assist X , in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; at no extra cost

g) notify X immediately on becoming aware of a Personal Data Breach;and to comply with subsequent legal and regulatory requirements and investigations promptly. To discuss the practicalities of addressing the consequences of the breacy with X, such as whether data subjects need to be notified.

h) at the written direction of X to delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and

i) maintain complete and accurate records and information to demonstrate its compliance with this clause [NUMBER] [and allow for audits by X ‘s designated auditor and immediately inform X if, in the opinion of Y , an instruction infringes the Data Protection Legislation or if security is at risk;.

Either party may, at any time on not less than … (15) days’ notice, revise this clause [NUMBER] by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).

The Schedule (to be included in contracts in addition to the clauses above)

Processing; Personal Data and the Data Subjects

1. Processing by the Data Processor

1.1 Scope of Processing

1.2 Nature of Processing

1.3 Purpose of the Processing

1.4 Duration of the Processing

2. Types of Personal Data

3. Categories of Data Subject

APPENDIX 4

When engaging with third parties, as part of the procurement / information sharing :

1. Complete a Data Protection Privacy Impact Assessment (if required)

The Privacy Impact Assessment is used to determine the risk associated with processing data and whether or not mitigating controls will be sufficient. The guidance to help with completion of the assessment and the judgements to be making that decision can be found at:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

If it is, the assessment is completed by the Faculty or Directorate with assistance from the IT Services Information Security team. The Privacy Impact Assessment must be retained and reviewed through the lifecycle of the agreement.

2. Complete an information risk assessment and risk treatment plan

Again these are completed by the Faculty / Directorate with assistance from the IT Services Information Security team. Any risks must be identified and minimised where possible and kept under review. The risk assessment and associated risk treatment plan must be kept by the Faculty or Directorate. This should inform how data can be shared, whether it can be minimised, if it can be encrypted etc.

3. Ensure security is part of the competitive tendering process

Where personal data or sensitive commercial data is involved the tender specification should consider information security and data protection requirements. This may be organisational security controls of the supplier (e.g. do they have a training programme, information security policies); technical controls of the desired solutions (e.g. does the solution encrypt data at rest and in transit, will be developed using secure coding practices, etc?). For guidance on the information security content of a competitive tender please contact the IT Services Information Security team.

4. Comply with procurement requirements

Any procurement requirements must be complied with. This includes finalising contractual arrangements.

5. Consider incorporating the contract clauses about data protection

See Appendix 3

6. Information Sharing Agreements

An information sharing agreement must be completed by the Faculty or Directorate in the absence of any contractual provisions about data protection and information security.

7. Signing the documents off

Any procurement paperwork, risk assessment contract or information sharing agreement need to be provide Legal Working Instruction Form to legal services for checking and signature.

8. Schedule reviews of the risk assessment and Privacy Impact Assessment as well as any contractual obligations

Ensure that they are regularly reviewed with a view to minimising security risk and to make sure that information is processed only when necessary.

9. Information security at contract termination

Consider what information security implications there are once a contract is due to be terminated. This may include revoking access permissions for third party supplier staff or systems, return of equipment or requesting the deletion or return of Brookes’ data.