Skip to content Accessibility statement
Staff home
HomeStaff homePolicies and strategiesUsing and protecting informationUniversity Information Policy indexInformation Security Policy

Information Security Policy

Purpose

  1. This is the overarching policy which explains the key ways that the University ensures the secure handling of its information while providing appropriate access.
  2. This policy implements the University Regulation 11 on Using University Information along with the University policies on Records Management and University of York Data Protection Policy (PDF , 240kb).

Scope

  1. This policy is applicable to all those who have access to University information; staff, students, contractors, consultants, visitors to the University, whether accessing information from on or off-campus.
  2. If you are responsible for providing contractors, consultants or visitors with University information you must ensure they are engaged under appropriate terms that protect the University’s security and privacy requirements. 

Definitions

  1. ‘Information’ covers information created or received by the University, purchased by or licensed to the University, in either physical or digital format.
  2. ‘Information users’ and ‘user accounts’ include staff, students, contractors, consultants, associates, partners, visitors and guests when facilitated with access to any University system or service. 
  3. ‘Devices’ applies to all devices; university issued, or non-university devices including personal and mobile devices, used for accessing University information.

Policy statement

  1. It is the policy of the University of York that the information it manages will be appropriately secured to protect against the consequences of personal data breaches, breaches of confidentiality, failures of integrity, or interruptions to the availability of that information.
  2. The University aims to achieve a culture in which legal requirements, information assurance and cybersecurity risks are considered whenever information is handled, through the provision of training, awareness campaigns and specialist guidance, advice and process.
  3. The University will implement cybersecurity management practices which apply appropriate security while at the same time enabling staff, students and visitors to access, use and share the information they need.
  4. The University will ensure that requirements and contracts that result in the collection, processing or storage of information are undertaken and protected in accordance with applicable legislation and standards.
  5. Information held in user accounts may be examined on behalf of the University by authorised persons for specific operational or legal reasons. In these cases, access will be authorised and conducted in accordance with the University policy on IT Investigations and Data Access Policy.
  6. All information users are responsible for protecting and ensuring the security of the information to which they have access.
  7. The University will deploy services and processes to protect all devices issued to information users against security threats and information users must not interfere with these measures. Where non-University devices are used to access information or systems the information user must ensure the device operates in a secure manner.
  8. University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy.
  9. Staff or students who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures.
  10. Contractors, consultants or visitors who act in breach of this policy, or who do not observe the requirement of security and privacy may have access withdrawn.
  11. Any breach of information security or violation of this policy must be reported to Cyber Security, via CERT (cert@york.ac.uk), who will take appropriate action and inform the relevant contacts within and outside the University.

Exceptions

  1. There are no exceptions to this policy.

Monitoring and review

  1. The Information Security Board, chaired by the Senior Information Risk Owner, is responsible for approval of primary Information Security Policy and sponsoring the information security framework.
  2. The Director of IT Services has the authority to define and implement University-wide primary Information Security Policy and framework, and is responsible for defining, implementing and overseeing specific policy under the approved Information Security Policy.
  3. The Information Security Board, is responsible for regular policy reviews and monitors the effectiveness of the information security framework across the University.

Document control

  • Approval body: Information Security Board
  • Policy owner: Nigel Alcock
  • Responsible service: IT Services
  • Policy manager: Head of Cyber Security
  • External regulatory and/or legal requirement addressed: 
    • UK GDPR Article 5(1)(f)
    • ISO/IEC 27001:2022 Clause 5
    • Payment Card Industry Data Security Standard Requirement v4.0.1 Control 12.1
    • Statutory Code of Practice on Records Management
    • Cyber Essentials
  • Equality Impact Assessment: Not applicable for this policy
  • Approval date: 28/01/2026
  • Effective from: 01/02/2026
  • Date of next review: 01/02/2027