Information Security Policy

Download a pdf version

1. Introduction 
Oxford Brookes University recognises that information and the associated processes, systems and networks are valuable assets and that the management of personal data has important implications for individuals. Through its security policies, procedures and structures, the University will facilitate the secure and uninterrupted flow of information, both within the University and in external communications. The University believes that security is an integral part of the information sharing which is essential to academic and corporate endeavour and this Policy is intended to support information security measures throughout the University. 
2. Definition 
2.1 For the purposes of this document, information security is defined as the preservation of: 
● confidentiality: protecting information from unauthorised access and disclosure
● integrity: safeguarding the accuracy and completeness of information and processing methods
● availability: ensuring that information and associated services are available to authorised users when required. 
2.2 Information exists in many forms. It may be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations. 
3. Protection of Personal Data 
The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. When handling such information, the University, and all staff or others who process or use any personal information, must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the 1998 Act). Responsibilities under the 1998 Act are set out in the Data Protection Policy. 
4. Information Security Responsibilities 
4.1 The University believes that information security is the responsibility of all students and members of staff. Every person handling information or using University information systems is expected to observe the information security policies and procedures, both during and, where appropriate, after his or her time at the University. 
4.2 This Policy is the responsibility of the Executive Board; supervision of the Policy will be undertaken by the Senior Management Team. This policy may be supplemented by more detailed interpretation for specific sites, systems and services (see relevant policies and regulations). Implementation of information security policy is managed through the Information Security Working Group which reports to the Chief Information Officer. 
4.3 The University’s IT Services directorate has operational responsibility for the University’s IT systems and will therefore take action wherever necessary to protect those systems. 
5. Information Security Education and Training 
The University recognises the need for all staff, students and other users of University systems to be aware of information security threats and concerns, and to be equipped to support University security policy in the course of their normal work. The Information Compliance team has implemented a training programme in data protection for all members of staff who process personal data and, at the behest of the University's Faculties and Directorates, will provide or arrange the provision of training in information security matters to answer particular requirements. 
6. Compliance with Legal and Contractual Requirements 
6.1 Authorised Use: University IT facilities must only be used for authorised purposes. The University may from time to time monitor or investigate usage of IT facilities; and any person found using IT facilities or systems for unauthorised purposes, or without authorised access, may be subject to disciplinary, and where appropriate, legal proceedings. 
6.2 Monitoring of Operational Logs: The University shall only permit the inspection and monitoring of operational logs by the appropriate staff from the University’s IT Services directorate or where it has been otherwise authorised. Disclosure of information from such logs, to officers of the law or to support disciplinary proceedings, shall only occur (i) when required by or consistent with law; (ii) when there is reason to believe that a violation of law or of a University policy has taken place; or (iii) when there are compelling circumstances (circumstances where failure to act may result in significant bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of University policies). 
6.3 Access to University Records: In general, the privacy of users' files will be respected but the University reserves the right to examine systems, directories, files and their contents, to ensure compliance with the law and with University policies and regulations, and to determine which records are essential for the University to function administratively or to meet its teaching obligations. Except in emergency circumstances, authorisation for access must be obtained from the Chief Information Officer or the Chief Information Officer’s nominee, and shall be limited to the least perusal of contents and the least action necessary to resolve the situation. 
6.4 Protection of Software: To ensure that all software and licensed products used within the University comply with the Copyright, Designs and Patents Act 1988 and subsequent Acts, the University may carry out checks from time to time to ensure that only authorised products are being used. Unauthorised copying of software or use of unauthorised products by staff or students may be grounds for disciplinary, and where appropriate, legal proceedings. 
6.5 Virus Control: The University will maintain detection and prevention controls to protect against malicious software and unauthorised external access to networks and systems. All users of electronic devices issued by the University or used for University business shall comply with best practice, as determined from time to time by the University’s IT Services, in order to ensure that up-to-date virus protection is maintained. 
7. Asset Management 
All University information assets (data, software, computer and communications equipment) shall be accounted for and have a designated owner. The owner shall be responsible for the maintenance and the protection of the asset/s concerned. 
8. Physical and Environmental Security 
Physical security and environmental conditions must be commensurate with the risks to the area concerned. In particular, critical or sensitive information processing facilities must be housed in secure areas protected by defined security perimeters with appropriate security barriers and/or entry controls. 
9. Information Systems Acquisition, Development and Maintenance 
9.1 Information security risks must be identified at the earliest stage in the development of business requirements for new information systems or enhancements to existing information systems. 
9.2 Controls to mitigate the risks must be identified and implemented where appropriate. 
10. Access Control 
10.1 Access to information and information systems must be driven by business requirements and be commensurate and proportionate to the business need. 
10.2 A formal access control procedure shall be required for access to all information systems and services. 
11. Communications and Operations Management 
Responsibilities and procedures for the management, operation and ongoing security and availability of all data and information processing facilities must be established. 
12. Retention and Disposal of Information 
All staff have a responsibility to consider security when disposing of information in the course of their work. Owners of information assets should establish procedures appropriate to the information held and processed and ensure that all staff are aware of those procedures. Retention periods should be set in consultation with the University Records Manager. 
13. Reporting 
All staff, students and other users should report immediately via the Servicedesk portal https://service.brookes.ac.uk, or by telephone to the Service Desk on tel. ext. 3311, any observed or suspected security incidents where a breach of the University's security policies has or may have occurred, and any security weaknesses in, or threats to, systems or services. 
14. Business Continuity 
The University will implement, and regularly update, a business continuity management process to counteract interruptions to normal University activity and to protect critical processes from the effects of failures or damage to vital services or facilities. A copy of the Oxford Brookes Business Continuity Policy can be found here

Data Protection Policy

Download a pdf version

1. Introduction

1.1 The University holds and processes information about employees, students, and other data subjects for academic, administrative and commercial purposes. When handling such information, the University, and all staff or others who process or use any personal information, must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the Act).

In summary these state that personal data shall:

1. be processed fairly and lawfully,
2. be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with the purpose,
3. be adequate, relevant and not excessive for the purpose,
4. be accurate and up-to-date,
5. not be kept for longer than necessary for the purpose,
6. be processed in accordance with the data subject's rights,
7. be kept safe from unauthorised processing, and accidental loss, damage or destruction,
8. not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data, except in specified circumstances.

1.2 Definitions

"Staff", "students" and "other data subjects" may include past, present and potential members of those groups.

"Other data subjects" and "third parties" may include contractors, suppliers, contacts, referees, friends or family members.

"Processing" refers to any action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information.

2. Notification of Data Held

2.1 The University shall notify all staff and students and other relevant data subjects of the types of data held and processed by the University concerning them, and the reasons for which it is processed. The information which is currently held by the University and the purposes for which it is processed are set out in the Appendix 1 to this Policy. When processing for a new or different purpose is introduced the individuals affected by that change will be informed and the Appendix 1 will be amended.

3. Staff Responsibilities

3.1 All staff shall • ensure that all personal information which they provide to the University in connection with their employment is accurate and up-to-date; • inform the University of any changes to information, for example, changes of address; • check the information which the University shall make available from time to time, in written or automated form, and inform the University of any errors or, where appropriate, follow procedures for updating entries on computer forms. The University shall not be held responsible for errors of which it has not been informed.

3.2 When staff hold or process information about students, colleagues or other data subjects (for example, students' course work, pastoral files, references to other academic institutions, or details of personal circumstances), they should comply with the Data Protection Guidelines for Academic Staff.

3.3 Staff shall ensure that

• all personal information is kept securely;
• personal information is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party. Unauthorised disclosure may be a disciplinary matter, and may be considered gross misconduct in some cases.

3.4 When staff supervise students doing work which involves the processing of personal information, they must ensure that those students are aware of the Data Protection Principles, in particular, the requirement to obtain the data subject's consent where appropriate.

4. Student Responsibilities

4.1 All students shall

• ensure that all personal information which they provide to the University is accurate and up-to-date;
• inform the University of any changes to that information, for example, changes of address;
• check the information which the University shall make available from time to time, in written or automated form, and inform the University of any errors or, where appropriate, follow procedures for updating entries on computer forms.

The University shall not be held responsible for errors of which it has not been informed.

4.2 Students who use the University computer facilities may, from time to time, process personal information (for example, in course work or research). In those circumstances, they must notify their course tutor or research supervisor in the relevant Faculty who will provide further information about their responsibilities in processing personal data.

5. Rights to Access Information

5.1 Staff, students and other data subjects in the University have the right to access any personal data that is being kept about them either on computer or in structured and accessible manual files. Any person may exercise this right by submitting a request in writing to the Information Compliance Officer.

5.2 The University will make a charge of £10 for each official Subject Access Request, except for requests involving Health Records where the University may charge up to £50 for each request if those records are held either wholly or partly in non-electronic form.

5.3 The University aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days unless there is good reason for delay. In such cases, the reason for the delay will be explained in writing by the Information Compliance Officer to the data subject making the request.

6. Subject Consent

6.1 In some cases, such as the handling of sensitive information or the processing of research data, the University is entitled to process personal data only with the consent of the individual. Agreement to the University processing some specified classes of personal data is a condition of acceptance of a student on to any course, and a condition of employment for staff. (See Appendix 1)

7. Sensitive Information

7.1 The University may process sensitive information about a person's health, disabilities, criminal convictions, race or ethnic origin, or trade union membership. For example, some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18, and the University has a duty under the Children Act 1989 and other enactments to ensure that staff are suitable for the job, and students for the courses offered. The University may also require such information for the administration of the sick pay policy, the absence policy or the equal opportunities policy, or for academic assessment.

7.2 The University also asks for information about particular health needs, such as allergies to particular forms of medication, or conditions such as asthma or diabetes. The University will only use such information to protect the health and safety of the individual, for example, in the event of a medical emergency.

8. The Data Controller and the Designated Data Controllers

8.1 The University is the data controller under the Act, and the Vice Chancellor is ultimately responsible for implementation. Responsibility for day-to-day matters will be delegated to the Heads of Faculties and Directors as designated data controllers. Information and advice about the holding and processing of personal information is available from the University's Information Compliance Officer.

9. Assessment Marks

9.1 Students shall be entitled to information about their marks for assessments, however this may take longer than other information to provide. The University may withhold enrolment, awards, certificates, accreditation or references in the event that monies are due to the University.

10. Retention of Data

10.1 The University will keep different types of information for differing lengths of time, depending on legal, academic and operational requirements. Information and advice about the recommended retention times are available from the University Records Manager.

11. Compliance

11.1 Compliance with the Act is the responsibility of all students and members of staff. Any deliberate or reckless breach of this Policy may lead to disciplinary, and where appropriate, legal proceedings. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Information Compliance Officer by telephone on extension 4354 or by e-mail at info.sec@brookes.ac.uk.

11.2 Any individual, who considers that the policy has not been followed in respect of personal data about him- or herself, should raise the matter with the designated data controller initially. If the matter is not resolved it should be referred to the University Information Compliance Officer and may be pursued through the staff grievance or student complaints procedure.

Appendix 1 University Information Processing

The University has notified the Information Commissioner that personal information may need to be processed for the following purposes:

1. Staff, Agent and Contractor Administration
2. Advertising, Marketing, Public Relations, General Advice Services
3. Accounts & Records
4. Education
5. Student and Staff Support Services
6. Research
7. Other Commercial Services
8. Publication of the University Magazine
9. Crime Prevention and Prosecution of Offenders
10.  Alumni Relations
11.  Information and Databank Administration

The Public Register of Data Controllers on the Information Commissioner's website contains full details of the University's current registration. The register entry provides:

• a fuller explanation of the purposes for which personal information may be used
• details of the types of data subjects about whom personal information may be held
• details of the types of personal information that may be processed
• details of the individuals and organisations that may be recipients of personal information collected by the University
• information about transfers of personal information.

For further information about these regulations, please contact the Information Compliance Officer. 

Access Control Policy

Download a pdf version

1. Policy Objectives

1.1 To define the requirements of Oxford Brookes University (OBU) to ensure that access to information assets is authorised and subject to identification and authentication controls

1.2 To establish the requirements for controlling access to OBU information or information that it is responsible for, including computing and physical resources.  Computer systems, networks and allied hardware and other peripherals are an integral part of our operations and represent substantial investment.

1.3 It is the purpose of the Access Control Policy to ensure that all access to information assets is properly authorised, maintained and reviewed.

2. Policy Scope

2.1 This Access Control Policy shall apply to all access to OBU's information assets.

2.2 All Users provided with access to OBU's information systems shall comply with this Access Control Policy as indicated in the IT Acceptable Use Policy.  

2.3 Access to physical and non-physical assets will be governed under the same principles.

2.4 This Access Control Policy shall establish the Logical and Physical Access control requirements for protecting the entire university's information systems and hardcopy data.

3. Policy Statement

3.1 This Access Control Policy forms part of Oxford Brookes University’s information Security Management System (ISMS) Framework as defined in the information Security Policy.

3.2 This policy should be read in conjunction with OBU’s IT Acceptable Use Policy, which summarises what OBU deems to be acceptable use of information systems

3.4 OBU’s information systems are provided for business purposes only and this Access Control Policy is used to ensure that Users:

• Comply fully with current legislation;

• Comply with other relevant OBU policies.

• Do not introduce unnecessary risk to OBU.

3.5 Access allocation shall be monitored to ensure compliance with this Access Control Policy.

3.6 All Users, who use the university's information assets and information systems, shall be responsible for safeguarding those resources and the information the information Owners hold, from disruption or destruction.

3.7 The Access Control Policy shall apply to all Users who have access to the university's information assets, including remote access.

3.8 Failure to comply may result in the offending employee being subject to disciplinary action up to and including termination of employment as per the Information Security Policy.

3.9 The use of the university's information assets and information systems indicates acceptance of this Access Control Policy.

4. Implementation Responsibilities

4.1 Oxford Brookes University IT Services shall ensure that Users are provided with education and training to ensure compliance with this Access Control Policy.

4.2 Oxford Brookes University IT Services shall develop, maintain and publish standards, processes, procedures and guidelines to achieve compliance with this Access Control Policy.

4.3 Annually review the Access Control processes, standards and procedures, to achieve compliance with this Access Control Policy and shall support the Access Control Strategy and provide security specific input and guidance where required.

4.4 IT asset owners and authorised users shall be assigned for each identified IT asset in order to approve or reject requests for access to their system.

4.5 IT asset owners and authorised users shall check the validity of all user access requests to information assets owned by them before implementation.  

4.6 IT asset owners and authorised users shall authorise employees requiring access to information assets owned by them.

4.7 Human Resources (HR) shall inform the IT department of users starting, moving and leaving the university.

4.8 All appropriate managers shall authorise any requirement to changes to user's access rights on the information systems.

4.9 Users shall not share access codes and/or passwords, if access to other information systems are required then a formal request shall be put forward for authorisation by an appropriate manager.

4.10 Users shall not share their physical access cards; if physical access to restricted areas is required then a formal request shall be put forward for authorisation by the line manager.

4.11 Users shall be responsible for the security (and secrecy) of their own secret authentication information.  In no circumstances is secret authentication information to be shared.

4.12 Users shall ensure incidents are reported and escalated in-line with documented Information Security Incident Management Procedure.

4.13 The University shall be responsible for ensuring all Users of OBU's information systems read and acknowledge the policy principles extracted from this Access Control Policy and included in the Acceptable Use Policy. 

5. Policy Principles

5.1 All information assets shall be "owned" by a named individual within OBU.

5.2 A process for user access requests, which mandates the steps to be taken when creating or modifying user access shall be defined, documented, annually reviewed and updated. The scope of this process must include network, application and database access and be applicable to any third party access.

5.3 Access to information assets shall be restricted to authorised employees and shall be protected by appropriate physical and logical authentication and authorisation controls.

5.4 Users shall be authenticated to information systems using accounts and passwords. See OBU’s Password Policy for further details.

5.5 Users are required to satisfy the necessary personal security criteria, as defined by OBUs Recruitment Policy, before they can be authorised to access information assets of a corresponding classification.

5.6 Users who have satisfied all necessary criteria may be granted access to information assets only on the basis that they have a specific need to know, or to "have-access-to", those information assets.

5.7 The classification of an information asset does not, in itself, define who is entitled to have access to that information.  Access is further filtered by any applicable privacy restrictions as dictated by other OBU Policies (such as the Data Protection Policy)

5.8 Access privileges shall be authorised by the appropriate information Owner and allocated to employee, based on the minimum privileges required to fulfil their job function.

5.9 Administrator accounts shall only be granted to those users who require such access to perform their job function.  Administrator accounts shall be strictly controlled and their use shall be logged, monitored and regularly reviewed.

5.10 Users with administrator access shall only access sensitive data if so required in the performance of a specific task.

5.11 Users with administrator access shall also have an unprivileged account, which shall be used for all purposes not requiring administrator access, including but not limited to electronic mail.

5.12 Line managers, information asset owners and authorised users shall ensure rights and privileges granted to Users of information assets are reviewed on at least every 6 months to ensure that they remain appropriate and to compare user functions with recorded accountability.  This shall include access to user accounts, which shall be revoked when they have been inactive for more than 90 days.

5.13 Access shall be granted only to those systems or roles that are necessary for the job function of the user.  Regular maintenance will address the management of privilege creep.

5.14 Detailed processes shall be developed and followed for terminating, modifying or revoking an employee's access, as part of the Movers/Leavers process.

5.15 In certain instances, particular access may be required for emergency reasons, such as undertaking emergency system maintenance.  Requests for emergency access shall be directed to the OBU Chief Information Officer, or a member of the IT Services Executive, and shall be approved by the information asset owner or authorised user.  Requests and approval should be documented, if possible, before the change is required stipulating an expiry period, which shall be enforced, for the access rights.  A request for change shall be documented retrospectively where it is not possible to do this in advance.  

5.16 All third party access (Contractors, Business Partners, Consultants, Vendors) shall be authorised by an appropriate information Owner and, if necessary, monitored.

5.17 Third Party Access to information assets shall be granted in increments according to business need and identified risks. Information asset owners shall specify access timeframes and be prepared to offer justification for such access.

5.18 Remote access to OBU's networks shall be appropriately authorised on a least privilege basis, with access only granted to systems and resources where there is an explicit business requirement.  Only employees of the university or authorised third parties shall be able to connect to the university's corporate infrastructure remotely.

5.19 Only authorised personnel shall be given access to secure areas at the university's premises and any third party premises where sensitive information is processed or maintained, or physical assets are held.

5.20 All access to areas hosting systems that store, process, or transmit sensitive data (e.g. datacentres) shall be controlled, monitored by cameras and logged.  Logs shall be regularly audited, correlated with other logs and securely stored for at least three months, unless otherwise restricted by law.  

5.21 All visitors shall have authorisation prior to entering any of the university's sites where sensitive data is processed or maintained.  

5.22 All visits shall be logged and details of logs retained for a minimum of one month, unless otherwise restricted by law.  Reception staff shall be made aware of their responsibility to log every visitor to OBU sites.

5.23 Employees shall challenge and/or report any visitors found unsupervised or acting suspiciously at any site where sensitive OBU data is processed or maintained.

5.24 User account names and actions performed shall be recorded using Audit logging capabilities.

5.25 The IT Services Information Management Team shall maintain plans indicating time schedules of all information security access audits to be performed across OBU to ensure compliance with this Access Control Policy.

5.26 Site management shall perform a formal review of physical access rights at least every 6 months to identify unauthorised or expired access.  Access controls shall be revoked in instances where access is no longer necessary for job function.

Information Security Incident Management Policy

Download a pdf version

1. Introduction and Scope

1.1 The University holds a large amount of information in a variety of media, physical and otherwise (including photos and videos). This includes personal and sensitive personal data, and also non-personal information which may be sensitive or commercially confidential (e.g. financial data) and may be subject to legal obligations of confidence, whether contractual or otherwise).

1.2 The University has legal responsibilities both under the Data Protection Act and in respect of its own business (for example, under the common law of confidence) to safeguard information in its control. Care should be taken to protect information, to ensure its integrity and to protect it from loss, theft or unauthorised access.

1.3 In the event of an information security incident (also referred to as a ‘data breach’), it is vital that appropriate action is taken to minimise associated risks.  A risk analysis should be performed, factors which need to be considered are:

• The number of individuals affected

• Type of data involved

• Impact (on individuals, the University or its contractors)

1.4 Any member of staff, student, contractor or pseudo-employee discovering or suspecting an information security incident must report it in accordance with this policy.

2. What is an information security incident?

2.1 An information security incident in an event whereby data held by the University, in any format, is compromised by being lost, destroyed, altered, copied, transmitted, stolen, used or accessed unlawfully or by unauthorised individuals whether accidentally or on purpose. Some examples:

• Loss, or theft of equipment on which data is stored, e.g laptop or mobile phone

• Unauthorised access to data

• Human error, e.g. emails to wrong recipient; public posting of confidential material online; incorrect sharing of Google documents

• Failure of equipment or power leading to loss of data

• Hacking attack

• Data maliciously obtained by way of social engineering (an attack in which a user is ‘tricked’ into giving a third party access, often by purporting to be someone other than they actually are)

2.2 Information security incident reporting also includes instances of ‘near misses’ and identification of vulnerabilities where IT Services considers there is a high likelihood of an actual incident occurring.

3. Reporting of the breach

3.1 All Information security incidents should be reported immediately to The IT Service Desk (via phone on ext. no. 3311, or the ServiceNow Portal), as the primary point of contact.

3.2 The report should include full and accurate details of the incident, including who is reporting the incident; what type of data is involved (not the data itself unless specifically requested); if the data relates to people and if so, how many people are involved.

3.3. The IT Services Information Management team is responsible for maintaining a confidential log of all information security events..

4. Investigation and Response

4.1 The Information Management team will consider the report, and where appropriate, instigate a Response Team. IT Services will lead the Response team and membership will depend on the type and severity of the incident. The response team will be responsible for investigating the circumstances and effect of the information security incident. An investigation will be started into material breaches within 24 hours of the breach being discovered, where practicable.

4.2 The investigation will establish the nature of the incident, the type of data involved, whether the data is personal data relating to individuals or otherwise confidential or valuable. If personal data is involved, associated individuals must be identified and, if confidential / valuable data is concerned, what the legal and commercial consequences of the breach may be.

4.3 The investigation will consider the extent of the sensitivity of the data, and a risk assessment performed as to what might be the consequences of its loss.  This will include risk of damage and/or distress to individuals and the institution.

4.4 The response team is responsible for formally documenting the incident and associated response. This information will (as a minimum) be subject to review by the Oxford Brookes University Information Security Working Group (ISWG) with serious incidents reviewed by the Chief Information Officer and other senior managers.

5. Containment and Recovery

5.1 The Response Team and IT Services Lead will determine the appropriate course of action and the required resources needed to limit the impact of the breach. For instance this may require isolating a compromised section of the network; alerting relevant staff or contractors; changing access codes/locks or shutting down critical equipment.

5.2 Appropriate steps will be taken to recover data losses and resume normal business operation. This might entail attempting to recover any lost equipment, using backup mechanisms to restore compromised or stolen data and changing compromised passwords.

5.3 For incidents that involve a suspected or actual criminal offence all efforts will be made to preserve evidence integrity.

6. Escalation & Notification

6.1 The details of the escalation and notification process are schematised in the appendix. A summary of this process is provided below.

6.2 The information management team is responsible for initial assessment of an incidents severity based on the scope, scale and risk of the incident.

6.3 This preliminary decision is then reviewed by the CIO and/or Director of IT Strategy, Information Management and Business Partnerships.

6.4 If at this stage the incident is deemed serious then the University Senior Management Team will be notified.

6.5 If a personal data breach has occurred of sufficient scale The Information Management team will notify the Information Commissioner’s Office (ICO) within the prescribed statutory time limits and manage all communications between the University and the ICO.

6.6 If the breach is deemed of sufficient seriousness (in line with ICO guidance), and concerns personal data, notice of the breach will be made to affected individuals to enable them to take steps to protect themselves. This notice will include a description of the breach and the steps taken to mitigate the risks, and will be undertaken by the Response Team. Liaison with the Police or other authorities may be required for serious events.

7. Review

7.1 Once the incident is contained a thorough review of the event will be undertaken by the Response Team, to establish the cause of the incident, the effectiveness of the response and to identify areas that require improvement.

7.2 Recommended changes to systems, policies and procedures will be documented and implemented as soon as possible thereafter.  Targeted training may be offered to the department affected.

7.3 All information security incidents will be subject to summary review by the ISWG so that any weaknesses or vulnerabilities that may have contributed to the incident can be identified, documented and resolved.

Password Policy

Download a pdf version

1. Statement of Policy

1 Introduction and Policy Objectives

1.1 The purpose of this Password Policy is to protect Oxford Brookes University (OBU) information assets from unauthorized use, and possible accidental or intentional misuse, through weak password security practice.

1.2 The policy applies to all users (students, staff, consultants, contractors and visitors) who have been given access to OBU information and communication systems or who are using third-party systems or services which have been contracted for by OBU.

1.3 On joining OBU staff shall be required as part of their terms and conditions that they will keep all personal secret authentication information private and keep any group secret authentication information solely within the members of the group.

2 Password Creation

2.1 All user-level and system-level passwords must conform to current best practice guidelines (so called, ‘strong’ passwords). For further information please contact the IT Service Desk, however in general ‘strong’ passwords have the following characteristics:

• Contain both upper and lower case characters (e.g., a-z, A-Z)

• Have digits and punctuation characters as well as letters e.g. 0-9,  -_.!~*()

• Are at least twelve alphanumeric characters long

• Are not based on personal information, names of family, etc.

2.2 Users must not use the same password for OBU accounts as they do for personal / non-OBU accounts.

2.3 Where possible, users must not use the same password for different accounts.

2.4 User accounts that have system-level privileges granted through group memberships, or programs such as Sudo, must have a different password from all other accounts held by that user to access system-level privileges.

3 Password Change

3.1 Users must abide by local or application-specific guidelines on the frequency of password changes. Changing passwords in itself is not a guarantee of security.

4. Password Protection

4.1 Passwords must not be shared with anyone (including other OBU staff). All passwords are to be treated as sensitive and confidential OBU information.

4.2 Do not write passwords down and store them in your office or place of work. Do not store passwords in a computer file unless the file itself is encrypted.

4.3 The use of ‘remember my password’ in applications (e.g. browsers) is not recommended for OBU passwords.

4.4 Any user that suspects their password may have been compromised must change it and inform the IT Service Desk immediately.

4.5 The use of password manager (also known as password vault) applications is permitted. For further information please contact the IT Service Desk.

5. Multi-Factor Authentication

5.1 It is recommended that users enable multi-factor authentication functionality on all system accounts where available

6. Application Development

6.1 Application developers must ensure that their programs contain the following security precautions:

Applications must support authentication of individual users, not groups

Applications must not store passwords in a reversible form and use PBKDF2 where possible.

All password hashes must be salted.

Applications must not transmit passwords in cleartext over the OBU network.

Network Security Policy

Download a pdf version

1. Introduction and Policy Aim

1.1 This document defines the Network Security Policy for Oxford Brookes University (OBU).  The Network Security Policy applies to all network hardware, services on the network and network attached systems.

1.2 For the purpose of this policy a network is defined as Oxford Brookes University’s connected (physically and wirelessly) data network that allows computing devices (including phones) to exchange data.

1.3 The aim of this policy is to ensure the security of the network. To facilitate this, the university shall:

• Protect assets against unauthorised access or disclosure (Confidentiality)

• Protect the network from unauthorized or accidental modification and ensure the accuracy and completeness of data assets (Integrity)

• Ensure the network is accessible how and when users need it (Availability)

2. Policy Objectives

2.1 To protect all hardware, software and information assets under its control.  This will be achieved by implementing a set of well-balanced technical and non-technical measures.

2.2 To provide effective protection that is commensurate with the risks to OBU network assets.

2.3 To implement the policy and associated procedures in a consistent, timely and cost-effective manner.

2.4 To ensure OBU is compliant with all relevant legislation, including (but not limited to:

• The Data Protection Act 1998

• Computer Misuse Act 1990

• Human Rights Act 1998

• Freedom of Information Act 2000

• Electronics Communications Act 2000

• Copyright, Designs & Patents Act 1988

3. Physical & Environmental Security

3.1 Network equipment (principally routers, switches and servers) shall be housed in a controlled and secure environment.  Critical or sensitive network equipment will be housed in an environment that is monitored for temperature, humidity and power supply quality.

3.2 Critical or sensitive network equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls.

3.3 Critical or sensitive network equipment will be protected from power supply failures and protected by intruder alarms and fire suppression systems.

3.4 Smoking, eating and drinking is forbidden in areas housing critical or sensitive network equipment.

3.5 All visitors to secure network areas must be authorised by an appropriate manager.

3.6 All visitors to secure network areas must be made aware of network security requirements.

3.7 The movement of visitors to secure network areas must be recorded.  The log will contain name, organisation, purpose of visit, date, and time in and out.

3.8 The Network Manager, or appropriate deputy, shall ensure that all relevant staff are made aware of procedures for visitors and that visitors are escorted when necessary.

4. Access Control to the Network

4.1 Access to limited-access network services shall be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access.  Remote access to the network will be via the University’s remote access software.

4.2 Departmental business managers will approve user access to systems including network access via standard staff joiner/leaver processes.  

4.3 Access rights to network services will be allocated on the requirements of the user's role, rather than on a status basis.

4.4 All users users of network services will have their own individual user identification and password.

4.5 Users are responsible for ensuring their password is kept secret (please see OBU’s Password Policy for further details).

4.6 User access rights shall be removed or reviewed for those users who have left the University or changed roles as soon practically possible.

5. Third Party Access Control to the Network

5.1 Third party access to network systems, services, hardware and network attached systems shall be based on a formal contract that satisfies all necessary security conditions.

5.2 All third party access to network systems, services, hardware and network attached systems must be logged.  

5.3 For further information please refer to the University Third Party & Supply Chain Management Policy

6. Maintenance and Fault Management

6.1 The Network Manager will ensure that adequate maintenance contracts are maintained and periodically reviewed for all network equipment.

6.2 The Network Manager is responsible for ensuring that a log of all faults on network systems and equipment is maintained and reviewed.

6.3 OBU shall ensure that timely information regarding the technical vulnerabilities of information systems is obtained. Any vulnerability will be assessed and any risks will be appropriately controlled.

6.4 The use of privileged utility programs that may be capable of overriding system and application controls shall be controlled and restricted.

6.5 Operational software shall only be installed by authorised system administrators and authorised third-parties (see section 5).

7. Network Operating Procedures

7.1 Documented operating procedures should be prepared for the operation of network services and systems, to ensure their correct, secure operation.

7.2 Changes to operating procedures must be authorised by the Network Manager.

8. Data Backup and Restoration

8.1 The Network Manager is responsible for ensuring that backup copies of network configuration data are taken regularly.

8.2 Documented procedures for backup processes and storage will be produced and communicated to all relevant staff.

9. User Responsibilities, Awareness and Training

9.1 The University will ensure that all users of network systems, services, hardware and network attached systems are provided with the necessary security guidance, awareness and where appropriate training to discharge their security responsibilities.

9.2 All users of network services and systems must be made aware of the contents and implications of the Network Security Policy.

9.3 All users must ensure that they protect the network from unauthorised access.  They must log off the network when finished working.  

9.4 Irresponsible or improper actions by users may result in disciplinary action

10. Protection against Malware

10.1 Software to protect against malware should be installed on all client devices including mobile computing assets.

10.2 Software used to protect University systems against malware shall be regularly reviewed and updated.

10.3 Procedures on dealing with malware protection and attacks shall be developed and documented together with appropriate business continuity plans.

11. Clock Synchronisation

11.1 All network systems and services shall be synchronised using ntp.brookes.ac.uk

12. Logging & Monitoring

12.1 Adequate event logs recording network activity, exceptions, faults and information security events shall be produced, kept and regularly reviewed.

12.2 Logging facilities and log information shall be protected against tampering and unauthorised access.

12.3 The activity of privileged users shall be logged and the logs protected and regularly reviewed.

Information Sharing & Transfer Policy 

1 Introduction

1.1 The University holds a large amount of information, both in hard and soft copy. This includes personal and sensitive personal data (as defined by the UK Data Protection Act, 1998), and also non-personal information, which could be sensitive or commercially confidential (e.g. financial data).

1.2 It is sometimes necessary when we are working with partner organisations or other institutions or on collaborative projects, to share personal data or information with those institutions or partners. This might entail:

• The University may receive personal information from the institution or partner

• The University may send personal information to the institution or partner

• A request for personal information held by one or both of us

1.3 These partners might be our partner colleges or universities, or other institutions with whom we have a relationship. We may or may not have a formal contract with these institutions or partners. We must also consider the legislative implications that this might have on us at the university.

2. Information Sharing

2.1 Disclosures of information should be relevant, proportionate and lawful.

2.2 All regular sharing of information to the same source should be governed by a data sharing agreement which sets out the protocols for:

• What data is to be shared

• For what purpose

• Legal justifications for sharing

• Benefits and risks of sharing

• Information lifecycle (retention and disposal)

• Responsibilities and liabilities in the event of information security incidents

• Agreed methods of transfer  

• Appropriate audit trails and governance

• Appropriate ID and background checks (where applicable)

3 Methods of Transfer

3.1 Electronic Documents

3.1.1 Sufficiently secure methods must be used when transferring personal data.

3.1.2 In the case of confidential and/or sensitive data it is recommended that data is encrypted to an acceptable standard (i.e. compliant with FIPS 140-2 (cryptographic modules, software and hardware) and FIPS 19) prior to transfer and protectively marked.

3.1.3 Encryption passwords must not be relayed using the same communication channel as the data.

3.1.4 An audit trail of all transfers must be maintained in line with the retention policy.

3.1.5 If transfer is by email, information must be sent to named persons where possible, the use of group mailboxes is to be avoided.

3.1.6 Information no longer in use by either party must be securely deleted.

3.2 Hardcopy Documents

3.2.1 All hardcopy data must be posted using the University's approved mail delivery company.

3.2.2 All confidential and/or sensitive data must be identified and sent with the appropriate level of tracking via University’s approved mail delivery company.

3.2.3 Personal information must be labelled ‘private and confidential’ and ‘addressee only’ where appropriate.

Bring Your Own Device Policy 

1. Introduction

1.1 This policy covers the use of non-University owned electronic devices to access corporate systems and process University information. Such devices include, but are not limited to, smartphones, tablets, laptops and similar technologies. This is commonly known as ‘Bring Your Own Device’ or BYOD.

1.2 If you wish to BYOD to access University systems, data and information, you may do so provided that you follow the provisions of this policy and the advice and guidance provided through the IT Services Service Desk.

1.3 The University is keen to have an agile, flexible and responsive workforce.  Therefore the University has actively encouraged BYOD, enforcing as few technical and procedural constraints as possible whilst still satisfying its legal compliance obligations.

2. What is ‘BYOD’?

2.1 BYOD – Bring Your Own Device refers to Users using their own device (which is not owned or provided to them by the University) to process University information, whether at the place of work or remotely, typically connecting to the University or other Wi-Fi Service.

2.2 As the device is not owned by the University there is no guarantee that support will be provided for the device and any faults of software, hardware or peripherals must be rectified by the owner at their cost.

3. Risk Awareness and Mitigation

3.1 The University takes Information and Systems Security very seriously and invests significant resources to protect its data.  The University’s data, irrespective of what device is used to process it, remains an asset of the University.  

3.2 When using the device to process University data the user must adhere to policies of the university including the IT Acceptable Use Policy

3.3. If a personal device is used for work purposes, the user must take all reasonable steps to secure the device from risks such as:

• Loss or theft of device

• Unauthorized access of the device or University data

• Malicious software attacks

• Inadvertent disclosure

Such steps may include:

• Encryption of the device

• PIN, passphrase or biometric access control

• Not retaining any data locally on the device

• Regular and timely security updates

• Ensuring that the device manufacturer’s security mechanisms are not bypassed (Jailbreaking, rooting, etc.)

• Activating any tracking or locating software available on the device

• Ensure all University data is removed from the device when it is sold, recycled or transferred to a third-party.

4. Monitoring

4.1 Although the University will not monitor personal devices, in some cases the University may monitor the flow of University data between a device and its systems.

5. Roles and Responsibilities

5.1 Where the processing of sensitive personal data (as defined by the UK Data Protection Act, 1998) is deemed necessary for operational purposes an appropriate manager should assess the risks and decide if this is appropriate.

6. Data Ownership

6.1 Data must be handled in accordance with the University’s Intellectual Property Policy.  On termination of employment the user may be required to return or delete data as instructed by Oxford Brookes University

6.2 The User must take reasonable steps to ensure that personal data is sufficiently segregated from Oxford Brookes University data on the device.  Such steps must ensure that University data will not be merged with an employee's personal data.  This must be done to a degree that that non-employees, such as family members who use the device, do not have the ability to access University data