Management of information security

In a diverse environment, such as the University of Oxford, it is important to define, document and embed information security policies and practices at the heart of management within all divisions, departments, and faculties.

REQUIREMENTS

In order to meet your responsibilities around information security as a head of division, head of department or faculty board chair, you must:

  1. Take overall ownership of information security within your division, department or faculty
  2. Define and document any specific information security requirements for your division, department or faculty
  3. Identify and assign specific roles and responsibilities related to information security within your division, department or faculty
  4. Embed information security into your management framework
HOW TO COMPLY

Ownership of information security

As a head of division, head of department or faculty board chair, you are ultimately accountable for information security arrangements within your area.  You can delegate the responsibility, but not the accountability – even when using the services of other departments or third-parties. It is important to familiarise yourself with the University’s Information Security Policy, so you understand how information security is managed across the University, and to set the tone for information security within your unit.

Specific information security requirements

At the most basic level, you simply need to adhere to the University's Information Security Policy. However, your division, department or faculty may need to comply with other specific information security requirements.  As a head of division, department or faculty board chair you should be aware of what these requirements are and how you comply with them. They may include:

  • PCI DSS for secure handling of payment card data
  • NHS DSPT for secure handling of data from NHS Digital
  • Specific legal or contractual requirements with research councils or partners
  • Security requirements of other third parties
  • Security requirements of the UK GDPR

One way to document these would be in a short page policy document or similar, for which there are templates available for you to use.  There is no requirement to do this, as long as they are incorporated in your department/division/faculty documentation.

Also bear in mind that whilst information security contributes towards compliance with data protection law, they are not the same thing and you are obliged to make sure you’re compliant with all data protection principles.  Details of these can be found on the data protection website.

Roles and responsibilities

We recognise that you will likely need to devolve responsibility for the day-to-day management of information security, so you should document how this is done.  As a minimum, you should define and document:

  • Who is accountable
  • A point of contact for the central Information Security team to liaise with on general security issues
  • Responsibility for coordination of day-to-day information security activities within your division, department or faculty (i.e. who will coordinate responses to reports, risks and mitigating actions)
  • Responsibility for managing your IT infrastructure and security arrangements
  • A point of contact for, and responsibility for coordinating responses to, information security incidents

These responsibilities may be shared among one or more staff members and/or across one or more roles, but all involved should be made explicitly aware of their individual responsibilities.

Information security framework

Remember, information security is not just an IT issue, it is about people and processes as well as the technology. Your senior management group should be aware of, and take ownership over, responses to incidents, risks and other issues relating to information security within your division, department or faculty. To embed information security into your management framework it should be a standing agenda item in at least one regular senior management meeting to cover (for example):

  • Known risks
  • Recent and ongoing incidents
  • Reports on compliance
  • A review of new or outstanding actions

Further advice

The Information Security team will provide you with tools so that you can monitor compliance with University policies, receive regular reports on security incidents and be alerted to current threats. Your senior management group should review these issues on a regular basis and ensure that there is appropriate ongoing provision of resources and support to address risks within your division, department or faculty.

POLICY

It is University policy that:

  • Heads of division are responsible for the oversight of information security arrangements for departments or faculties within their division
  • Heads of department or faculty board chairs are responsible for the implementation of effective information security within their department or faculty