Introduction to Information Security

The Information Security team is responsible for the development, operation and continuous improvement of information security across the University ensuring the availability, confidentiality and integrity of its information.

We define information security policies and procedures, advise on secure IT arrangements, provide training and practical advice that the University can use to meet business requirements while maintaining security. We are responsible for information security risk management and compliance, and the monitoring of IT systems to prevent and detect attacks.

We work closely with the University’s other Information Governance functions, supporting the Legal team with Data Protection compliance and contract reviews, and supporting the Records Management team with aspects of information asset management. We support the University’s SIRO (Senior Information Risk Owner), IAOs (Information Asset Owners) and IAMs (Information Asset Managers) in overseeing and promoting the effective management of University information to meet operational and legal requirements, and ensuring that the confidentiality, integrity and availability of University controlled information is maintained at all times.

• Tom Stoddart (Chief Information Security Officer): t.stoddart@mmu.ac.uk | 07966 313571

Information Assurance

• Hannah Burling (Information Assurance Specialist: h.burling@mmu.ac.uk
• Nicki Hargreaves (Information Assurance Specialist): n.hargreaves@mmu.ac.uk 

Cyber Security Operations

• Ian Scott (Head of Cyber Security Operations): i.scott@mmu.ac.uk
• Chris Luke (Security Analyst): c.luke@mmu.ac.uk
• Dan Smith (Security Analyst): d.smith@mmu.ac.uk
• Steve Fitzsimmons (Security Analyst): s.fitzsimmons@mmu.ac.uk  
• Fred Skinner (Security Architect): f.skinner@mmu.ac.uk
• Mohammed Tahir Mamun (Junior Security Analyst): m.mamun@mmu.ac.uk 

Manchester Metropolitan University are committed to maintaining and continuously improving the security of our systems. We value the assistance of security researchers and others in the security community to assist in keeping our systems secure.

If you have discovered a security vulnerability that falls within the mmu.ac.uk domain name and all subdomains of mmu.ac.uk or any systems in use by the University, TLS configuration vulnerabilities or an indication that our services do not fully align with industry best practice, please email igincident@mmu.ac.uk and include: 

• A description of the issue and where it is located – be as specific as possible.
• A description of the steps that led you to discover the issue.
• The entire URL (if applicable) and/or any IP addresses relevant to the vulnerability.
• Details of the affected platforms, components, operating systems and software versions.
• Any screenshots, including any log files (if applicable).
• Any reference to existing vulnerability information where relevant.

We ask that:

• You do not put any University data at risk, degrade performance of any of our systems, or conduct any form of attack.
• You act in a responsible manner and do not break any applicable laws.
• You alert us immediately if you can access anyone else’s data, personal or otherwise, including usernames or passwords. Please do not store, save or transmit this information.
• You do not attempt to prove any vulnerabilities. Any such action could be treated by the University as a potential misuse of the system and is therefore likely to lead to further action.
• You do not share vulnerability details except with the University Information Security team.
• You do not report generic vulnerabilities with no evidence of relevance to our systems.

In response to any responsible disclosure, we will ensure that:

• Information you provide will remain confidential, we will not share your data unless required by law.
• We keep you up to date with our progress and notify you when an issue is resolved.
• We will only ask you for any additional information if we need to investigate the issue further.
• Where necessary, a review will take place to update our practices to improve our security.

Please treat in a confidential manner any information associated with University systems, staff or students that you may have acquired or that you have otherwise become aware of that is not publicly available. Please do not share it with anyone other than emailing it to igincident@mmu.ac.uk as part of your responsible disclosure.