Defining the University’s approach to compliance
This control procedure defines the University’s approach to compliance and directly supports the following policy statement from the Information Security Policy:
The design, operation, use and management of information systems must comply with all statutory, regulatory and contractual security requirements. Currently this includes the Data Protection Act, the payment card industry standard (PCI-DSS), the Government’s Prevent guidance and the university’s contractual commitments.
The university will use a combination of internal and external audit to demonstrate compliance against chosen standards and best practice, including against internal policies and procedures. This will include IT Health Checks, gap analyses against documented standards, internal checks on staff compliance, and returns from Information Asset Owners.
This procedure is intended to be read and understood by all users accessing University information in electronic or paper format, IT systems, networks or software using any University or personally owned device. It is of particular relevance to Information Asset Owners and Managers, and other managers who are responsible for staff or systems.
The University will use internal and external measures to conduct regular compliance checks against existing information security controls, procedures and guidance. These checks will provide valuable insight into the practical application of procedures, raise any training and awareness issues and identify areas for improvement. Recommendations for improvement will be made and any required changes in procedure or guidance will be implemented promptly.
Internal compliance checks will take place across the University to demonstrate levels of compliance against internal policies and procedures. The selection of compliance checks will vary, taking into account reported security incidents or near misses in order to drive a continuous improvement programme.
The Information Governance team will work with individual departments to conduct the compliance checks and provide recommendations to improve practice where appropriate. Good practice will be highlighted to evidence compliance.
Compliance checks will vary in nature but are likely to include a member of the Information Governance team sitting with teams to obtain an overview of team processes to determine information security practices. Alternatively, some teams may be asked to provide a written return in response to specific questions around their information governance behaviours. Other options include targeted checking of the application of policies and procedures, for example determining if documents have been classified and marked appropriately in line with the University’s Information Classification scheme.
Internal vulnerability scans will be run on a regular schedule by ISDS staff, the output being passed to the Information Security team and the appropriate technical staff for remediation.
The University will use external vulnerability assessments and penetration testing to supplement its internal capabilities. The University has a contract with a nominated provider, and will maintain this relationship to provide continuity in the support offered. Decisions to use external vulnerability assessments will be made and authorised by the Assistant Director of Information Security.
There is no defined schedule or scope for testing, but it is good practice to undergo annual penetration testing of at least key external-facing services, and to test new systems or significant changes to systems as required.
Consideration will be given to industry best practice when determining external vulnerability assessments including, but not limited to, Cyber Essentials certification and compliance with the Cloud Security Principles when implementing new systems.
All staff are expected to complete and pass mandatory data protection training on an annual basis. Compliance checks will take place at regular intervals throughout the year to ensure mandatory training is being completed. Compliance reporting will then be sent to the Information Asset Owners and the Information Governance Board to highlight any gaps in staff engagement and capability. Failure to successfully complete mandatory security training should be managed by local line managers taking into account the University’s Capability Procedure.
The Information Security team have overall responsibility for ensuring there are clear procedures and guidance for all staff explaining their information security responsibilities, and for conducting compliance checks to provide assurance to the Information Governance Board.
The Information Governance team will work with other departments across the University including Learning & Development to deliver an on-going training and awareness programme for all employees.
Information Asset Owners and Information Asset Managers have responsibility for identifying and managing information security risks in their business areas and promoting the use of compliance checks to improve practice and change behaviour.
Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.
Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Governance Board.
This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.
A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.