INFORMATION SECURITY POLICY

Student Name
Contents
Introduction...............................................................................................................................................1

Scope and purpose.....................................................................................................................................2

Policy..........................................................................................................................................................2

Definitions..................................................................................................................................................3

Governance................................................................................................................................................5

PRINCIPLES FOR INFORMATION SECURITY................................................................................5

Principles in ISS (Information Security system).................................................................................5

Information classification and handling..................................................................................................6

Information classification and category...................................................................................................7

Responsibility and ownerships.................................................................................................................7

User Management......................................................................................................................................8

User account...........................................................................................................................................9

Encryption.................................................................................................................................................9

Key Management.................................................................................................................................10

Information classification flowchart......................................................................................................11

1|Page
Introduction
The University's services are supported by computers, which are also crucial to its
administrative, teaching, and research operations. Therefore, it is crucial that each University
employee do their share to maintain the accessibility, consistency, privacy, and validity of the
data they own or have access to. The misuse of university data not only runs the risk of
jeopardizing the institution's standing and interfering with its operations, and that might put the
company in danger of facing legal repercussions. Additionally, the persons whose information is
affected by the loss or unintentional exposure of private data may experience severe anguish.

The University of Hertfordshire's information security policy is contained in this

paper, along with instructions for faculty, staff, and students. Everyone who is a student
at the university has a duty to work.

Scope and purpose

This Policy provides a framework for the management of information security throughout the
University, and applies to:

i) Everyone who has access to the university's information systems, including employees,
students, guests, and contractors.
ii) All information or data that the university maintains in print or electronic formats, such
as papers, spreadsheets, and other paper-based and electronic data, photos, and videos.
iii) All systems connected to university phone or computer networks, as well as any systems
the university provides.
iv) All data handled by the university as part of its operational operations, including all
communications transmitted to or from the university and any data kept on systems
outside the university's network, whether the data is processed electronically or on paper.
v) All university-owned non-mobile computers as well as all personally owned mobile
computing devices used to access university information systems. This Policy also
applies to non-mobile devices, such as privately owned desktop computers, when they are
used to access university data off of university property.
vi) All external third parties that assist the University with its commercial operations and
information processing infrastructure.

2|Page
Policy
1. Information security must be maintained in compliance with this policy, as well as any
supporting procedures and standards, by all users of information assets.
2. University departments that manage information systems and companies that supply the
university with information systems should assign one or more of their employees the
responsibility of monitoring information security and offering qualified local counsel as
needed. The Executive Director, Business Services, and Chief Technology Officer can
offer advice to university departments on information security and risk management.
3. External service providers hired by the university are required to abide by this policy as
well as any applicable supporting procedures and standards.
4. The University's policies governing information security include:
4.1.1. Creating an information security plan;
4.1.2. Organizing, overseeing, reviewing, and guaranteeing the overall Information Security
Management Framework's (ISMF) efficacy;
4.1.3. Creation of clear and practical information security procedures;
4.1.4. Evaluating the information security program's success by the gathering and analysis
of metrics, self-evaluations, and outside review; and
4.1.5. Helping role-bearers under this policy fulfil their responsibilities by offering advice
and assistance.

Definitions
For the purposes of this document the following definitions apply:

Computer - includes all end user computing devices as well as servers, whether or not they are
on a university site.

Data – The Data Protection Act defines data as information which

i) Is being processed by automatic machinery responding to commands sent for that

purpose.
ii) Is recorded with the intent that it should be processed by such machinery.
iii) Is recorded as a component of or with the intent that it should constitute a component of a
relevant file system.

3|Page
 iv) Is recorded information maintained by a public authority and does not come under any of
the definitions (ii), or (iii), but does form a component of an accessible record as defined
by section 68. (iv).

For the purposes of this Policy the term ‘data’ is interchangeable with ‘information’.
The information is protected but use a scientific method and a secret key so that only people with
access to the secret key may decode the data and transmit it. In many situations, encryption can
offer a suitable defense against the unauthorized or illegal processing of personal data, especially
when other precautions are impractical to take.
For the purposes of this Policy, the terms "information" and "data" are synonymous;
Any portable computing or telecommunications equipment that can be used to process
information qualifies as a mobile computing device. Smartphones, tablets, and laptops are among
examples.
Personal data is any data or information that pertains to an identifiable live individual.

i) From those data, or,

ii) From those data and other information that the data controller has access to or is likely to
obtain, and.
iii) Includes any expression of opinion about the individual and any indication of the
controller's or any other person's intentions with regard to the individual.
Software management refers to the acquisition, creation, application, control, operation, and
decommissioning of software on computers that are owned, operated, or used by the University.
Asset custodian refers to a person, organization, or outside provider to whom the asset owner
has assigned responsibility for the information security of an information asset. The owner of a
non-technical business service or process may also be the asset custodian, but this is less
frequent.

An individual who is responsible for an information asset is referred to as the asset owner. A
data asset owner is the owner of particular data pieces, regardless of where the data is located.
Many asset custodians may share operational responsibilities with an asset owner.

4|Page
Assuring that the information is accessible to authorized people when requested is referred to as
availability. Information is only useful if the appropriate individuals can access it at the
appropriate times.
The term "central facilities" refers to any associated computer and network facilities that are
owned or controlled by the university and for which the executive director, business services,
and chief technology officer are responsible, but excludes any local facilities.
Computers, computer systems, data network infrastructure, dial-in network access facilities,
email, and other communications and information facilities are all included in the category of
computing and network facilities. These items are all either owned or operated by the University
and are a part of the central facilities or the local facilities.
Information is kept private and confidential when it is not shared or made available to
unauthorized people, groups, or systems.

Governance
i) The Head of Information Assurance is in charge of creating, maintaining, and
disseminating this information security policy.
ii) This information security policy has been approved by the Vice Chancellor's Advisory
Group (VCAG), and any significant modifications require VCAG consent.
iii) Regular evaluations of this information security policy will be conducted, and it is the
duty of VCAG to see that these take place. The VCAG is also in charge of making sure
the Policy is internally consistent and stays that way.

This document will be recorded for any substantial changes and made widely available within
the University.

PRINCIPLES FOR INFORMATION SECURITY

The University understands that information is a key resource for knowledge-driven
organizations, and it is the University's policy to safeguard the information it controls against the
negative outcomes of any potential breaches in confidentiality, integrity, availability, and legal

5|Page
compliance. The observance of this policy by all University employees is necessary to meet this
goal.

Principles in ISS (Information Security system)

1. In order to support this information security policy, the University has established the
following eight principles:
2. All pertinent University rules and laws, particularly those relating to data protection,
freedom of information, and human rights, will be followed in protecting information.
3. Each information asset shall have a designated owner who is responsible for identifying
the information's proper uses and putting the necessary security measures in place to
safeguard the asset.
4. Only those with a valid need for access to the information will be granted access.
5. Information shall be categorized in accordance with this policy's Section 3's explanation
of the University's data classification rules.
6. Information integrity shall be preserved.
7. It is the obligation the responsibility of all those with access to information to manage it
in a manner consistent with its categorization.
8. Data will be shielded against unauthorized access.
9. Students or staff will be disciplined in accordance with the Student or Staff Disciplinary
Procedures for any behavior that violates the Information Security Policy and its related
regulations.

Information classification and handling

The efficient functioning of the University and the services it provides, including teaching,
learning, and research as well as administrative, managerial, and commercial operations, depends
on information, a basic university asset. To assist assure the avoidance of information leaks and
to lessen the consequences of such breaches if they do occur, it is crucial to classify information
correctly. It not only complies with best practices, but also helps to maintain the University's
compliance with data protection and freedom of information laws.

6|Page
The following information management principles shall be followed in order to make sure any
university information may be efficiently accessed, utilized, and shared while simultaneously
being safeguarded against unauthorized, use, or sharing:

1. Content is an asset that is preserved efficiently since it holds value for the university.
2. Users have access to the information they need to perform their tasks; thus, information is
supplied when it is acceptable and legal to do so.
3. Metadata has been Secure: Data is shielded from misuse as well as dissemination by
unauthorized parties. This involves the protection of sensitive and commercial
information in addition to more conventional components of information security like the
Data Protection Act.
4. Information is Responsibly Managed: It is the duty of every member of the university
community to make sure that information assets are used appropriately and securely.

Information classification and category

Information is classified according to its level of sensitivity and the potential consequences for
the University or an individual if it were to be revealed, changed, lost, or destroyed without
permission. Information is safeguarded from those who do not have the right to access it thanks
to the division of all information into separate categories, which guarantees that people who need
to access a piece of information may do so. The categorization will direct the necessary
technological and security controls.

Every document that our state owns, uses, produces, or maintains should fall into one of the
following three categories:

 Non-Sensitive/Open
 Personal/Confidential
 Extremely Sensitive

The majority of the university's data will fall into the "Non-Sensitive/Open" category. Private
data and other information will be classified as "Personal/Confidential" in tiny amounts. Only
when no other categorization is suitable can anything be classified as "Highly Sensitive."

7|Page
Responsibility and ownerships
Every piece of data needs to have an owner. This might be the person who wrote the paper or the
company or college in charge of the data or information.

All university staff need to be aware of such appropriate data classifications or how material
within each category should be processed, even if it is understood that it is not possible to
classify every document in the college with the appropriate data certification.

The majority of the time, it will be clear which category best fits the information. The data owner
is responsible for making sure that any documents or information that are unclear are properly
identified and that anybody who has access to the information is aware of its status. This is
especially true for material that is "Personal/Confidential" or "Highly Sensitive.

 Know the classification levels for information set out in the information security policy.
 Classify the information for which you are accountable as necessary.
 Only access information when necessary to satisfy a valid business requirement.
 No University Information may be disclosed, copied, released, sold, loaned, altered, or
destroyed without a legitimate business reason or authorization.
 In accordance with the classification level and nature of the information, safeguard the
confidentiality, integrity, and accessibility of university information.
 Handle information in line with any other relevant University standard or policy as well
as the Princeton Information Protection Standards and Procedures.
 Any physical key, ID card, computer account, or network account that enables access to
university information should be protected.
 According to the material's categorization level, kind, and any relevant university
retention requirements, dispose of media holding Princeton University information.
Information from any hard copy document (such a note or report) as well as any
electronic, magnetic, or optical storage device is included here (such as a memory stick,
CD, hard disk, magnetic tape, or disk).
 Before sharing any material created by the Office of the General Counsel or before
responding to any subpoenas, court orders, or other information demands from private
litigants or government agencies, you should get in touch with the Office of the General
Counsel.

8|Page
User Management
Effective management of usernames and permissions is crucial to ensuring the security of the
University's systems for data and information. This rule is applicable to any computer systems
linked to the university network or used to perform university operations.

Users will only be given access privileges that are necessary for them to carry out their tasks.

User account
There are three levels of user accounts at the university:

Access to the whole university network in its entirety. It is frequently the degree of access
offered to existing employees and students.

Access to the university's network and wireless internet is restricted and customized. This level
of access is often given to: Students from partner universities will be given restricted accounts in
order to access particular resources.

Employees who have been given honorary or associate status, as well as retired employees.
(Associates will include employees from other companies that its college contracts with one
another to supply services and who may need access to the university's information systems to
carry out their contractual duties. Additionally, associates will include outside researchers.)

Internet access is prohibited for guests. Usually, this degree access will be made available to:

 Visitors to the university, such as contractors who may be given temporary access to the
network;
 Alumni of the university who may be given access to a restricted set of services.

Encryption
Data that is "Personal/Confidential" or "Highly Sensitive" must be encrypted. Please refer to the
Information Classification and Handling Table for further information on data classification.
To reduce the chance of interception, "Personal/Confidential" or "Highly Sensitive" data must

9|Page
always be encrypted before being transferred over data networks. This applies to transmitting or
receiving such material via email as well as to using network services that need authentication
(i.e., login and password access).
Unless its secrecy can be adequately guaranteed, "Personal/Confidential" or "Highly Sensitive"
information should only be taken for use outside of university premises in an encrypted form.
The devices themselves must be encrypted when "Personal/Confidential" or "Highly Sensitive"
data is being kept or accessed through mobile computing devices; it is not permissible to store or
access data that is "Personal/Confidential" or "Highly Sensitive" on privately owned, non-
University owned devices, whether mobile or not.
However, it is always preferred to access University information using the University's remote
access capabilities, regardless of the data categorization.
Students' enrollments at partner universities or other information stored on PCs used at external
events might also be at danger. As a result, it is important to evaluate all information security
concerns and use encryption where it makes sense.
It may be preferable for a staff member to securely store certain "Personal/Confidential" or
"Highly Sensitive" data in an encrypted form during the usual course of business. However, it is
sometimes necessary for this data to be available even when they are not present. For more
information on allowing staff access to third parties, go here.
Key Management
Encryption keys are typically stored as a password, passphrase, or PIN. It is crucial that
encryption keys are properly handled since if a key is lost or forgotten, the information will no
longer be accessible.
The University's IT Department shall be in charge of the secure administration of the encryption
keys when devices are encrypted by them. It will be the owner's responsibility in all other
situations when a person has encrypted a device (such as a USB drive) to maintain the encryption
keys. It is advised to create safe backups of your keys and to think about keeping copies with
reputable third parties.

10 | P a g e
Information classification flowchart

This Flow Chart should be used to help

determine which classification each piece of
information should be classified as. Note that it
is possible for one piece of information or
document to have different classifications
throughout its lifetime. For instance,
commercially sensitive information may become
less sensitive over time.
Is the
informatio Where one set of information contains a range
n for public of information, such as a database, the highest
use only? classification should be applied to the whole set
of information.

Yes No

Treat as Non-
Sensitive/Ope Are individuals
n identifiable
from the
information?

Yes No

Is the information Is the information

personal, sensitive business sensitive,
or both? confidential or
both

Persona Sensitive/
Sensitive YesNo
l
& Personal
Treat as Treat as Non-
Is the information
Highly Sensitive/Ope
Sensitive businesssensitive,
n
confidential or
both?

Confidentia Sensitive/Confidential &

l Sensitive

Treat as Treat as
Personal / Highly
Confidentia Sensitive
l

11 | P a g e
12 | P a g e