Policy
1. Policy
1.1 It is the policy of the University of York that the information it manages will be appropriately secured to protect against the consequences of personal data breaches, breaches of confidentiality, failures of integrity, or interruptions to the availability of that information.
1.2 The University will aim to achieve a culture in which legal requirements, information assurance and cyber security risks are considered whenever information is handled, through the provision of training, awareness campaigns and specialist guidance, advice and process.
1.3 The University will implement information security management practices which apply appropriate security while at the same time enabling staff, students and visitors to access, use and share the information they need.
1.4 The University will ensure that requirements and contracts that result in the collection, processing or storage of information are undertaken and protected in accordance with applicable legislation and standards.
1.5 Information held in user accounts may be examined on behalf of the University by authorised persons for specific operational or legal reasons. In these cases access will be authorised and conducted in accordance with the University policy on IT Investigations and Data Access Policy.
1.6 This document, together with related information security policies and implementation documents at www.york.ac.uk/information-services/information-policy/index/, defines the framework within which information security is managed across the University.
Scope
2. Scope
2.1 This policy is applicable to all those who have access to University information; staff, students, contractors, consultants, visitors to the University, whether accessing information from on or off-campus.
2.2 If you are responsible for providing contractors, consultants or visitors with University information you must ensure they are engaged under appropriate terms that protect the University’s security and privacy requirements.
2.3 This policy supplements University Regulation 11 on Using University Information and University policy on Records Management and Data Protection.
Oversight
3. Oversight
3.1 Overall responsibility for information security in the University is delegated from the Vice Chancellor, via the Chief Operating Officer, as Senior Information Risk Owner, to the Director of IT Services.
3.2 The Information Security Board, chaired by the Senior Information Risk Owner, is responsible for approval of primary Information Security Policy and sponsoring the information security framework.
3.3 The Director of IT Services has the authority to define and implement University-wide primary Information Security Policy and framework, and is responsible for defining, implementing and overseeing specific policy under the approved Information Security Policy.
3.4 The Information Security Board, is responsible for regular policy reviews and monitors the effectiveness of the information security framework across the University.
Responsibilities
4. Responsibilities
4.1 All information users are responsible for protecting and ensuring the security of the information to which they have access.
4.2 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy.
4.3 Staff or students who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures.
4.4 Contractors, consultants or visitors who act in breach of this policy, or who do not observe the requirement of security and privacy may have access withdrawn.
4.5 Any breach of information security or violation of this policy must be reported to Cyber Security, via CERT (cert@york.ac.uk), who will take appropriate action and inform the relevant contacts within and outside the University.
Document history
Document history
| 14 May 2012 |
Approved by Director of Information, J Stephen Town |
| 16 October 2015 |
Reviewed and approved by Information Security Board |
| 31 July 2019 |
Reviewed and approved by Information Security Board |
| 31 August 2022 |
Reviewed and approved by Information Security Board |
| 29 November 2023 |
Reviewed and approved by Information Security Board |
Support
For support in ensuring you are delivering to the requirement of this policy contact the Cyber Security Team.
Review
Review cycle: Annual
Date of next review: Nov 2024
