Information Security Local Policy Template and Instructions

June 2014, Information Security Team

Introduction

The University’s information security policy requires that each unit has its own local information security policy. An information security policy is defined by ISO/IEC 27000:2014 as, “intentions and direction of an organization as formally expressed by its top management”. Unit-level information security policies should identify the security requirements of units, define key roles and responsibilities and state the commitment of senior management within the unit

to information security; no “one-size-fits-all” policy can cover the entire University.

Once objectives have been described and endorsed in your policy, an Information Asset Register toolshould be used to help you identify your assets and assess your high-level information security risks in accordance with the University, and your local, information security policy. The tool will help you produce a top-level local policy, which acts as a statement of intent and commitment to secure information in your unit. Examples of local policies can be seen on the information security web pages, other templates are available; further advice and guidance can be sought by emailing the InfoSec Team.

Licence

The Information Security Toolkit [which this Information Security Local Policy Template and Instructions is a part of] the University of Oxford Information Security Team is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0) beyond the scope of this license may be available at .

Instructions for Template use

This tool provides you with an annotated policy template. In order to prepare a unit-level information security policy, fill in the gaps in the template as per the instructions provided via the comments. Once completed your policy should be endorsed by senior management within the unit. The endorsement should be formally noted (e.g. in the minutes of a unit management meeting) and the policy should be communicated to all users.

This Template is designed to produce an Information Security Policy which has the essential components. In due course, it is expected that you will be expand your policy to cover more aspects of information security. Further details and examples are provided in the information security toolkit.

Template Policy

<UNIT>: Information Security Policy

Introduction

[UNIT]’s computer and information systems underpin all [UNIT NAME]’s activities, and are essential to [ENTER HIGH-LEVEL OBJECTIVES HERE[JA1]] The [UNIT] recognises the need for its members, employees and visitors to have secure access to the information they require in order to carry out their work, and recognises the role of information security in delivering this. Security of information must therefore be an integral part of the [UNIT]’smanagement structure in order to maintain continuity of its business, legal compliance, and adherence to the University’s own regulations and policies.

[OPTIONAL[JA2]: reference to specific external standards, regulatory requirementsand/or contractual agreements can go here]

Purpose

This information security policy defines the framework within which information security will be managed across the [UNIT] and demonstrates management direction and support for information security throughout the [UNIT]. This policy is the primary policy under which all other technical and security related polices reside. Appendix 1 provides a list of all other policies and procedures that support this policy.

Scope

This policy is applicable to and will be communicated to [USER GROUPS <EXAMPLE: all staff, students and other relevant parties including senior and junior members, employees, visitors and contractors[JA3]]. It covers, but is not limited to, any systems or data attached to the [UNIT]’s computer or telephone networks, any systems supplied by the [UNIT], any communications sent to or from the [UNIT] and any data - which is owned either by the University or the [UNIT ]- held on systems external to the [UNIT]'s network.

Organisation of Information Security

[HEAD OF UNIT[JA4]] is ultimately responsible for the maintenance of this policy and for compliance within the [UNIT NAME]. This policy [and subsidiary policies] has [have] been approved by [SENIOR TEAM[JA5]].

[SENIOR TEAM] is responsible for reviewing this policy on an annual basis or when significant changes occur. It will provide clear direction, visible support and promote information security through appropriate commitment and adequate resourcing.

The [SENOR TEAM] is responsible for assessing identified security requirements and risks, approving risk mitigation strategies and controls, and accepting any residual risk[JA6]

The [INFORMATION SECURITY COORDINATOR[JA7]] is responsible for the coordination of information security within [UNIT] and, specifically, will act as a point of contact for providing advice and guidance on the implementation of this policy.

It is the responsibility of all [LINE MANAGERS (or equivalent)] to implement this policy within their area of responsibility and to ensure that all staff for which they are responsible are 1) made fully aware of the policy; and 2) given appropriate support and resources to comply.

It is the responsibility of each member of staff to adhere to this policy.

Policy Statement

The [UNIT] is committed to protecting the security of its information assets against breaches of confidentiality, failures of integrity or interruptions to availability.

The [UNIT] will adhere to the University’s Information Security policy and support ‘best practices’ in the information security toolkit.

Information security education, training and awareness will be provided for all new users and for existing users on a regular basis. An information security awareness module[PWJ8] is available for staff to take.

To determine the appropriate level of security controls that should be applied a process of risk assessment shall be carried out.[JA9]

Risk assessment outputs will be reported to the Information Security Team.[JA10]

Records of the number of security breaches and their type will be kept and reported on a regular basis to [SENIOR MANAGER GROUP].

[UNIT] will follow the University’s policy for the escalation and reporting of security incidents and detected security incidents will be reported to .

Specialist advice on information security shall be made available throughout the [UNIT] and advice can be sought via the University’s Information Security Teamand/or OxCERT.

Failure to comply with this policy that occurs as a result deliberate, malicious or negligent behaviour, may result in disciplinary action.

Appendix 1: Supporting Policies and Processes

[List any supporting policies and processes here[JA11]

[JA1]Specify according to the mission of the unit, in as concise a way as possible

[JA2]If you have specific standards/contractual arrangements to be adhered to - they can be mentioned here along with any other specific requirements.

[JA3]Insert relevant user groups to whom policy will be communicated

[JA4]Should be a named individual.

[JA5]This is your unit’s group of senior members or governing body.

[JA6]In the first instance this equates to completing steps 4-5 of the “information asset register tool”

[JA7]You should assign an individual to coordinate information security activities. This is liklely be the person charged with completing steps 1-3 of the “information asset register tool”

[PWJ8]You should decide your policy, should all staff be required to take this?

[JA9]In the first instance this equates to completing steps 4-5 of the “information asset register tool. You should also decide a policy on encryption of laptops; see:

[JA10]By sending “information asset register tool” to .

[JA11]Further policies/procedures might include acceptable usage policies, IT security policies, user instructions and guidance.