© University of Reading Information Technology Services 23 December 2015 Information Security Policy Mike Roch - Director of IT Services

2 Overall Policy Agreed Autumn 2006 – Part of Information Strategy implementation – Defines scope “All information recorded within the scope of University activity is deemed a University record. Therefore staff have a duty to ensure appropriate keeping and/or disposal of all information they create and handle.” – Relationship to sector standards (BS7799/ISO27001:2005) – Governance Information Strategy Cttee responsible for policy devt. University management structures responsible for implementation (cf Health and Safety policies) – Default review cycle 4 years

3 Sub- Policies Agreed Autumn 2007 Systems Planning Policy Systems Management Policy Systems Operation Policy Software Management Policy Communications Networks Management Policy

4 Information Security Issues C onfidentiality Can only the appropriate people read it? I ntegrity  Is the data all present and correct?  Could it be altered inappropriately? A vailability Can the appropriate people get to it when required?

5 Risk Assessment x Student PC x FOCUS x Lab PC x Staff PC x Dept Web Server

6 Systems Planning Policy New systems authorised, given competent advice, and information security requirements recognised Info Security risks assessed for new/upgraded software Information assets identified, classified and recorded Adequate capacity, resilience and fault tolerance specfied Adequate physical and environmental security – FMD Appropriate access controls overall and to O/S controls Testing of compliance with all policies before acceptance

7 Systems Management Policy Systems to be managed by suitably trained and qualified staff. Training to include information security Appropriate access controls agreed by management and records kept of access granted and revoked Appropriate log on process, accesses logged, logs secured Appropriate time-outs, password management, etc Tight control of who may issue O/S level commands Change management – sanity checking, stake-holder consultation, audit trails, roll-back System clocks, anti-malware, patching

8 Systems Operations Policy Information security risks assessed to inform operations procedures Appropriate physical security, environmental protection and access controls ensured Documented operating procedures, developed with information security in mind Appropriate segregation of duties Reporting of security incidents and software malfunction Appropriate separation of development/test systems from live systems

9 Software Management Policy Applications to be managed by suitably trained and qualified staff Procurement and implementation of new or upgraded software to follow a formal, documented process Business case for new or upgraded software shall address information security issues Appropriate change control procedures shall apply Interfaces between applications documented and risks identified All software to be checked and tested independently of live systems before implementation/upgrade Mobile code to be especially scrutinised

10 Comms Networks Management Policy Single network design authority – currently IT Services University will provide ubiquitous links Managed by suitably trained and qualified staff Designed to provide suitable performance and reliability Access to resources on the network controlled - data network segregated firewalls to protect critical systems Remote access subject to robust authentication and appropriate encryption New/upgraded software subject to change control Suitable protection from physical, environment and technical threats

11 Next steps Documentation – Model policies for departments Training – Identification of general needs