Whether you are a student, member of staff or contractor, you all have an important part to play in protecting University systems and the information stored on them. The information security policies below explain those expectations, obligations and conditions of use which you should read, understand and comply with. These policies have been comprehensively reviewed and revised to make them easier to read, and we are committed to a regular review cycle to ensure they remain accessible and helpful.
Why is Information Security important?
Information is one of the most important assets to an organisation and all information is valuable and should be appropriately protected. Security is a combination of systems, operational procedures and internal controls to ensure integrity, confidentiality and availability of data to support the operation of the organisation.
'Why is Information Security important' video created by Security Fresh.
Information security policies
Staff information security policy
Quick guide
Update any computers and devices you use with the latest software patches and updates.
Look after the password for your University account and never disclose it to anyone.
Secure any computer or device you use to access University information with a PIN or password.
Report a breach if you think someone has accessed your account or a computer is infected.
Don't use University or personal systems to harass, bully or abuse people or break the law.
Guard your computer from viruses by using University-approved antivirus software.
Lock paper copies away when not required, and lock your computer when you're not using it.
Take care of any confidential information you have access to, especially personal information.
Think before you copy, share or upload confidential data, especially outside the University.
1. Purpose
2. Personal use
3. Protection of information
4. Reporting security events
5. Unacceptable use
- Creation or transmission of material (including via social media) which is defamatory and could constitute harassment or bullying, or simply intends to cause annoyance, inconvenience or needless anxiety.
- Communication which could constitute emotional abuse or sexual violence (including the non-consensual sharing of indecent or sexual images).
- Creation or transmission of material with the intent to defraud.
- Creation or transmission of material such that this infringes the copyright of another person.
- Deliberate unauthorised access to networked facilities or services.
- Illegal activity including, but not limited to, accessing pornographic images or sites or media which are specifically designed to promote terrorism or which advocates or promotes any unlawful act.
- Any activity which jeopardises the security, integrity, performance or reliability of University IT systems including the introduction of malware or attempting to disrupt or circumvent IT security measures.
- Any activity which brings the University into disrepute.
Author: Richard Bartlett (Enterprise Security Architect); Version: 1.0, Approved: 9 February, 2021; Next review: Q1 2022
Student information security policy
Quick guide
Update any computers and devices you use with the latest software patches and updates.
Look after the password for your University account and never disclose it to anyone.
Secure any computer or device you use to access University information with a PIN or password.
Report a breach if you think someone has accessed your account or a computer is infected.
Don't use University or personal systems to harass, bully or abuse people or break the law.
Protect your computer from viruses by using up-to-date antivirus software.
1. Purpose
2. Scope
3. Personal use
4. Monitoring, auditing and control
5. Protection of information
6. Reporting security events
7. Unacceptable use
- Creation or transmission of material (including via social media) which is defamatory and could constitute harassment, hate crime or bullying, or simply intends to cause annoyance, inconvenience or needless anxiety.
- Communication which could constitute emotional abuse or sexual violence (including the non-consensual sharing of indecent or sexual images).
- Creation or transmission of material with the intent to defraud.
- Creation or transmission of material such that this infringes the copyright of another person.
- Deliberate unauthorised access to networked facilities or services.
- Illegal activity including, but not limited to, accessing pornographic images or sites or media which are specifically designed to promote terrorism or which advocates or promotes any unlawful act.
- Any activity which jeopardises the security, integrity, performance or reliability of University IT systems including the introduction of malware or attempting to disrupt or circumvent IT security measures.
- Any activity which brings the University into disrepute.
IT information security policy
1. Purpose
2. Information security roles and responsibilities
Role/title: University Secretary and Registrar
Responsibility: Providing accountability and assurance to UEG that information governance policies, including data protection and information security policies are complied with.
Role/title: Executive Deans Directors, Deputy Vice-Chancellors, members of the Senior Leadership forum
Responsibility: Has accountability and authority to manage the risk; approving the risk treatment plan and residual risk for the risks that they own.
Role/title: Privacy Coordinators
Responsibility: Compliance with Data Protection policy, including assessment of information security risk within their organisational area.
Role/title: TIS Enterprise Security
Responsibility: Assessing cyber security risk across the University and providing advice on appropriate mitigating measures.
Role/title: IT Director
Responsibility: Co-ordinating the University’s technical response to a major or critical information security incident.
3. Information classification
4. Communications security
5. Access control
- Deactivated promptly if no longer required, and deleted after no more than three months, or
- The user’s group membership must be cleared and new group membership set according to the new role.
6. Protection from malware
7. Management of technical vulnerabilities
A process for confirming that all network and server infrastructure is compliant (has the most recent updates installed) should be documented. That process should include the escalation of any servers which are non-compliant to the appropriate persons for corrective action.
8. Backup
- It has been designed to meet the recovery time and recovery point requirements of the Faculty or service.
- It is physically secured against theft.
- It is sufficiently resilient that failure of a single hardware component would not result in data loss.
- It is held separately from the original data storage location such that it would be unaffected by hardware or software failure or physical/environmental incidents (e.g., fire or flood).
- It is protected from unauthorised access through technical controls and as far as possible physical separation from the original data storage location (to prevent destruction in the event of a security incident, e.g. ransomware).
- It is tested at least annually to ensure the data backed up could be used in the event of a data loss incident.
9. Cryptographic controls
10. Physical and environmental security
11. Supplier relationships
12. Information security incident management
Study information security at University of Plymouth
Information security training
- GDPR and Information Security Online E-training, available to all members of the University.
- PCI DSS training, available to all staff members of the University.
If you have any ideas or suggestions regarding our information security, please share them with us!
Email: infosecurity@plymouth.ac.uk