Defining the University’s approach to information security in projects
This control procedure defines the University’s approach to information security in projects, and directly supports the following policy statement from the Information Security Policy:
Information security requirements will be defined during the development of business requirements for new information systems or changes to existing information systems.
Controls to mitigate any risks identified will be implemented where appropriate.
Systems development will be subject to change control and separation of test, development and operational environments.
The University’s information security requirements will be considered when establishing relationships with suppliers, to ensure that assets accessible to suppliers are protected. Supplier activity will be monitored and audited according to the value of the assets and the associated risks.
This procedure is intended to be read and understood by ISDS and other staff who are responsible for the implementation of IT systems; and for those involved in scoping projects that may require the processing of University information.
The University’s information security requirements will be considered when setting up new projects that may include new IT systems and services, or carrying out changes or upgrades to existing systems and services which may generate information security or data privacy implications.
Prior to the commencement of a new project or a change to an existing IT system or service, the lead project manager should work alongside colleagues within the Information Security and Legal teams to complete the following assessments:
Where the outcome of the assessments above identifies significant risks, a full risk assessment will be conducted to review the risks further and to determine if residual risks are acceptable to the University, as defined in the Information Risk Management Policy. For further guidance on conducting risk assessments please see the Risk Assessment Control Procedure or speak to the Information Security Team.
The Information Security Team must formally assess the use of third party IT systems and services including cloud hosting services. Project managers and sponsors will ensure that vendors adequately address security, privacy and all other IT system requirements. The use of such systems and services must comply with the University's Information Security Policies.
When a new project is being considered or where there is a requirement for a change to an existing system or service that may instigate information security or data privacy implications, the Project Sponsor or Service owner will be accountable for ensuring that these assessments are conducted. The Project Manager or Business analyst will responsible for following the process set out above.
Project managers/service or system owners must take into account the confidentiality and value of the information involved, and the outcome of a serious incident (for example information loss, user account misuse, compromise or a technical failure) when determining what security controls and risk mitigation measures to use.
Residual risks must be recorded in relevant local risk registers and monitored appropriately. Any medium or high risks should be discussed with the Information Security Team.
The University’s Information Security and Legal teams will support project managers or service owners with the overall assessment of information security and data privacy risks where required.
Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.
Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Governance Board.
This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.
A review of this policy will be undertaken by the Information Security Team annually or more frequently as required, and will be approved by the Information Governance Board.