Information Security Policy

Policy

1. Policy

1.1 It is the policy of the University of York that the information it manages will be appropriately secured to protect against the consequences of personal data breaches, breaches of confidentiality, failures of integrity, or interruptions to the availability of that information.

1.2 The University will aim to achieve a culture in which legal requirements, information assurance and cyber security risks are considered whenever information is handled, through the provision of training, awareness campaigns and specialist guidance, advice and process.

1.3 The University will implement information security management practices which apply appropriate security while at the same time enabling staff, students and visitors to access, use and share the information they need.

1.4 The University will ensure that requirements and contracts that result in the collection, processing or storage of information are undertaken and protected in accordance with applicable legislation and standards.

1.5 Information held in user accounts may be examined on behalf of the University by authorised persons for specific operational or legal reasons. In these cases access will be authorised and conducted in accordance with the University policy on IT Investigations and Data Access Policy.

Oversight

2. Oversight

2.1 Overall responsibility for information security in the University is delegated from the Vice Chancellor, via the Chief Operating Officer, as Senior Information Risk Owner, to the Director of IT Services.

2.2 The Information Security Board, chaired by the Senior Information Risk Owner, is responsible for approval of primary Information Security Policy and sponsoring the information security framework.

2.3 The Director of IT Services has the authority to define and implement University-wide primary Information Security Policy and framework, and is responsible for defining, implementing and overseeing specific policy under the approved Information Security Policy.

2.4 The Information Security Board, is responsible for regular policy reviews and monitors the effectiveness of the information security framework across the University.

Responsibilities

3. Responsibilities

3.1 All information users are responsible for protecting and ensuring the security of the information to which they have access.

3.2 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy.

3.3 Staff or students who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures.

3.4 Contractors, consultants or visitors who act in breach of this policy, or who do not observe the requirement of security and privacy may have access withdrawn.

3.5 Any breach of information security or violation of this policy must be reported to Cyber Security, via CERT (cert@york.ac.uk), who will take appropriate action and inform the relevant contacts within and outside the University.

Support and legislation

4. Support

4.1 This document, together with related information security policies and implementation documents, defines the framework within which information security is managed across the University. These are listed at:
www.york.ac.uk/information-services/information-policy/index/ 

4.2 For support in ensuring you are delivering to the requirement of this policy, contact the Cyber Security Team.

5. Legislation and standards

5.1 UK GDPR Article 5(1) (f)

5.2 ISO/IEC 27001:2022 Clause 5

5.3 Payment Card Industry Data Security Standard Requirement v4.0.1 Control 12.1

5.4 Statutory Code of Practice on Records Management

Document history

6. Document history

6.1 Review Cycle: Annual