Information Governance Policy for UEH

I. Introduction:
Information management ensures that data is created, kept, used, disclosed, archived, and
destroyed in line with legal obligations. An organization's goals are achieved by
implementing processes, responsibilities, norms, and standards. Information management
failures endanger the University's regulatory, reputational, and operational assets. With
the explosion of information, the University must monitor and regulate these threats. The
University's vision and strategy require effective information management and use.
II. Definition
"Knowledge or facts of someone or something" and "communication or acceptance of
information or intelligence" are common definitions. It can take numerous forms, but it
must provide value for the recipient. In it are papers, electronic documents, photos,
videos, social media posts, statistical or research data, and Meta data
III. Purpose of this Policy
This policy aims to establish the high-level information governance principles throughout
the university and to clarify the roles and reporting guidelines for workers. It is meant as
a general framework to clarify the extent of university-wide information governance and
to highlight critical information and related personnel regulations.
IV. Scope
For further information, see the University's website. It covers both university-created
and third-party content. It includes honorary personnel, contractors, hourly-paid teachers,
and students who labor for the University (including internships).
V. Roles and responsibilities
As outlined below, the University has several critical tasks and obligations in relation to
information governance. The framework diagram at Appendix B shows the roles'
relationships:
 All staff and third-party contractors
 Administrative board of trustees
 Senior Risk Manager of information (SIRO)
 Information Asset Proprietors (IAOs)
  Information Asset Administrators (Informational Asset Administrators)
 Adjutant Director of IT Services (Governance and Risk) (IGSAB)
VI. Legal and compliance
The University's information management framework must comply with several statutory
acts relating to information processing and use, as well as common law confidentiality
obligations. The University's information guide has more information on these laws. The
university must also meet non-legislative requirements (internal and external), such as:
 Standard Payment Card for Industry Data Security (PCI DSS)
 Acceptable usage and safety policies JANET
 NHS Information Management Toolkit
 Requirements of the Ethics Committee and other regulatory or institutional
authorizations.
 Detailed contract and requirements for financing
VII. Information Governance and Security Advisory Board (IGSAB)
Members of IGSAB will be from the University regions with prominent information
issues. The IGSAB's charter defines its membership and responsibilities.
VIII. Records and document management
The Freedom of Information Act Section 46 Code of Practice1 establishes several
principles for records management, including:
Recognized as a vital corporate function
Incorporating records and information management into business risk management
 A governing structure with clearly defined positions and responsibilities;
 Instructions for producing, maintaining, and managing records at all levels of
authority;
 Identify information and business systems which keep records and offer the
necessary resources to preserve and defend the integrity and information they
contain;
This policy establishes consistent criteria for the creation, use, and disposal of
information by University personnel.
Training
The institution will ensure that workers receive appropriate training to manage
information every day. To understand about risk and obligations in information
 management, all new employees must complete the University's mandated online
information security training. Every year, staff will be updated on changes to information
governance best practices. Owners of Information Assets must complete additional
training related to their role in maintaining local information management and security
procedures.
IX. Interaction with other policies and procedures
Staff must be aware of the following University information governance policies and
procedures:
Information Governance Policies:
 IGP-02 - Data Protection Policy
 IGP-03 - Records Management and Retention Policy
 IGP-04 - Records Retention Schedule
 IGP-05 - Document Management Policy
 IGP-06 - Digital Preservation Policy
 IGP-07 - Personal Data Breach Policy
 IGP-08 - Privacy Impact Assessment Policy
 IGP-09 - Information Strategy Principles
 IGP-10 - Information Classification
Other policies and guidance scheme:
 Information security policy
 IT policy
 Information classification scheme
 Policy on Mobile and Remote Work
 Outsourcing and Compliance Policy
 Social Media policy
 Policy on Incident Management and/or Open Data Research
 Open access to research
 Open access to research and data management
 Open access to research and management
X. Policy review and ownership
 This policy shall be reviewed by IGSAB as necessary and at least every three years. The
document is handled by the Secretariat Information Governance Manager.

Importance of information governance to the organization

Information governance is the use of technology, policies, processes, controls, and strategies to
optimize information to meet business objectives while decreasing risk. Knowing your data is the
foundation of information governance. In other words, know your data, its format, your purpose,
its placement, its use, and its destruction. Cyber security is founded on a solid foundation of
information management. Information governance comprises high-level management, business,
legal, and IT staff analyzing Blackbaud's information needs. New data types, such as
collaborative apps, may complicate information management. Make an eDiscovery and
information management playbook. At Blackbaud Institute, we understand data storage, data
backup, and data flow. Cybersecurity encompasses data access and the process involved. Data
encryption is possible by restricting access to certain data. Documentation and litigation data will
be protected differently from operating data. Outdated data poses a cyber security risk.

Risk Analysis

Risk analysis involves identifying and analyzing potential concerns that may have a negative
influence on projects. This approach is done to help organizations avoid certain hazards or to
mitigate them. Risk analysis involves the likelihood of unfavorable events induced either by
natural processes, such as strong storms, earthquakes, or floods, or by purposeful or unintended
human activity. An important aspect of the risk analysis is to assess the potential for harm from
these events and their probability.

Risk Assessment Methodology

The information security framework is built around risk evaluation and management. These
actions define security policy norms and guidelines, and fit an information security framework's
aims to our Blackbaud institute's controls and methods. Each part of the IT infrastructure should
be assessed for risk. Based on this assessment, Blackbaud should allocate time and resources to
developing the most effective worldwide safety regulations. When contemplating how to secure
various IT resources, it is important to examine the secondary and other implications of the
action (or inaction). Depending on the size and complexity of an IT ecosystem, a broader focus
may be required rather than a more specific examination of values and risks. The distribution of
security resources should be determined by key risk managers who better understand the scope
of security risk in Blackbaud and are more suited to make that decision.

Qualitative or quantitative risk analysis

Risk analysis uses both qualitative and quantitative methods. Typically, a quality risk analysis
entails ranking the likelihood of occurrence of a risk and its impact on our institute. Risk
implications are typically classified as low, medium, or high. The chance of a risk occurring can
also be represented or classified in the same way, from 0% to 100Contrariwise, quantitative risk
analysis aims to quantify unfavorable occurrences by estimating the potential cost to our institute
and the probability of it occurring within a year. The cost for the current year would be $1
million, assuming the cost of a major cyberattack is $10 million and a 10% probability of attack.

A qualitative risk analysis generates subjective conclusions since participants' perceptions of the
risk likelihood and predicted effects are used to collect data. As a result, institutes and/or project
teams can priorities risks, limiting their influence on the firm or project. A quantitative risk
analysis, on the other hand, examines the project risk as a whole. Quantitative risk analysis
calculates the probability and impact of each risk.

Quantitative risk analysis improves the process of decision-making by providing more objective
facts and numbers than qualitative analysis.

Identification of Information Assets and Risk Associated:

All data items on which our institute is focused are considered information assets. Security
personnel must identify these assets, with direct participation from those with the real
information. Managers cannot decide what information is essential on their own. The people who
use knowledge daily have the finest grasp of its importance. Key information processing systems
will be assets. A super database with all consumer data is useless if the technology to obtain it is
unavailable.

The major focus of this research is physical assets however we will see that some of the hazards
highlighted for asset management are shared with the other asset types.

 Not knowing what they have

 Over- or under-maintenance
 Incorrect operation
 Incorrect risk management

Identification of threats and vulnerabilities:

A risk management programme begins with a threat assessment. A threat assessment assesses all
potential threats to an institution or place (i.e. natural, criminal, terrorist, accidental, etc.). The
ISC standard solely addresses human dangers, whereas agencies and organisations are free to
examine other concerns. The review should include supporting data to determine each hazard's
relative likelihood. Tornadoes, hurricanes, floods, fires, and earthquakes are examples of natural
hazards that can be assessed based on historical occurrence data. The crime statistics in the area
show the type of criminal behaviour that could endanger the facility. The Blackbaud Institute's
assets and/or activities may increase the aggressor's target appeal. The Institute's property and/or
operation will also influence the likelihood of certain dangers.
The purpose of existing countermeasures is to attract, dissuade, and/or defend an installation.
The attraction objective is decided by the facility's function and/or symbolic meaning to an
attacker. The sample vulnerability rating definitions are:

 Very High: This is a leading institution that offers a very enticing aim for possible
opponents and it is not sufficient to dissuade and/or defend them from current
countermeasures.

 High: It is a high-profile regional or national facility with an attractive target, and/or it is

inappropriate to deter and/or defend current countermeasures.

 Moderate: It is a low profile facility (not commonly recognized elsewhere) that has the
ability to dissuade and/or defense existing countermeasures or is not sufficient to achieve.

 Low: This is not a high-profile facility and provides a suitable goal and/or deterrence
level provided by current measures.

References:

[1] Mikalef, P., Krogstie, J., van de Wetering, R., Pappas, I. and Giannakos, M., 2018, January.
Information governance in the big data era: Aligning organizational capabilities. In Proceedings
of the 51st Hawaii International Conference on System Sciences.

[2] Pandey, S.K., 2012. A comparative study of risk assessment methodologies for information
systems. Bulletin of Electrical Engineering and Informatics, 1(2), pp.111-122.