Information Security

 

Management of Information Security

In an ideal world, the University’s Information Security Policy would be able to tell everyone exactly how to keep their data secure. However, in an environment as diverse as Oxford, one size unfortunately does not fit all.

As a Head of Division, Head of Department or Faculty Board Chair, you are ultimately responsible for the specific information security policies of your division, department or faculty.

It is University Policy that:

  • Heads of Division are responsible for the oversight of information security arrangements for departments or faculties within their division
  • Heads of Department or Faculty Board Chairs are responsible for the implementation of effective information security within their department or faculty

In order to meet your responsibilities around information security as a Head of Division, Head of Department or Faculty Board Chair, you must:

  1. take overall ownership of information security within your division, department or faculty
  2. define and document any specific information security requirements for your division, department or faculty
  3. identify and assign specific roles and responsibilities related to information security within your division, department or faculty
  4. embed information security into your management framework

Ownership of information security

As a Head of Division, Head of Department or Faculty Board Chair, you are ultimately accountable for information security arrangements within your area.  You can delegate the responsibility but not the accountability – even when using the services of other departments or third-parties. It is important to familiarise yourself with the University’s Information Security Policy, so you understand how information security is managed across the University, and to set the tone for information security within your unit.

Specific information security requirements

At the most basic level, you simply need to adhere to the University's Information Security Policy. However, your division, department or faculty may need to comply with other specific information security requirements.  As a Head of Division, Department or Faculty Board Chair you should be aware of what these requirements are and how you comply with them.  They may include:

  • PCI-DSS for handling cardholder data
  • NHS IG Toolkit
  • Specific legal or contractual requirements with research councils or partners
  • Security requirements of other third parties

One way to document these would be in a one page policy document or similar, for which there are templates available for you to use.  But remember, there is no requirement to have local information security policies – you just need to write them down as part of your standard divisional/departmental/faculty documentation.

Also bear in mind that that whilst information security contributes towards compliance with data protection law, they are not the same thing and you are obliged to make sure you’re compliant with all data protection principles.  Details of these can be found on the data protection website.

Roles and responsibilities

We recognise that you will likely need to devolve responsibility for the day-to-day management of information security, so you should document how this is done.  As a minimum, you should define and document:

  • Who is accountable;
  • A point of contact for the central Information Security Team to liaise with on general security issues;
  • Responsibility for coordination of day-to-day information security activities within your division, department or faculty (i.e. who will coordinate responses to reports, risks and mitigating actions)
  • Responsibility for managing your IT infrastructure and security arrangements;
  • A point of contact for, and responsibility for coordinating responses to, information security incidents.

These responsibilities may be shared among one or more staff members and/or across one or more roles but all involved should be made explicitly aware of their individual responsibilities.

Information security framework

Remember, information security is not just an IT issue: your senior management group should be aware of, and take ownership over, responses to incidents, risks and other issues relating to information security within your division, department or faculty. To embed information security into your management framework it should be a standing agenda item in at least one regular senior management meeting to cover (for example):

  • Known risks;
  • Recent and ongoing incidents;
  • Reports on compliance; and
  • A review of new or outstanding actions.

Further advice

The Information Security Team will provide you with tools so that you can monitor compliance with University policies, receive regular reports on security incidents and be alerted to current threats. Your senior management group should review these issues on a regular basis and ensure that there is appropriate ongoing provision of resources and support to address risks within your division, department or faculty.