[Physstaff] FW: Implementation of Uni Info Security Policy

Timothy Briggs timothy.briggs at strath.ac.uk
Tue Mar 3 16:21:00 GMT 2015 

Hello,

I've been asked to forward the following to you by Ronnie Wallace (Faculty IT Coordinator), about the Information Security policies of the University.

Details can be found here:

http://www.strath.ac.uk/staff/policies/informationsecurity/

Here are the highlights:

(a) Before purchasing a new device, staff should consult with their local IT staff as required by the Policy on the Procurement of IT Commodity Devices

This policy came about for two reasons. Firstly it is to ensure that the University can fulfil its obligations to ensure that devices are encrypted. This is seen as a vital step for all organisations by the Information Commissioner. It was also a direct recommendation in the Information Security Audit carried out by the External Auditors on our Faculty in 2013.  It will also help ensure that devices are set up to take advantage of the many software packages and operating systems for which the University has a site license.

I no longer want IT support staff to be in the position where they are presented with a device from a member of staff of which they have had no input in the procurement process.

(b) No one should ever have to share their authentication credentials with another colleague

Anyone finding that they have to do this to complete a task may have a problem with their access rights that can easily be addressed or possibly needs advice and/or training on different ways to achieve the same results.  If they do have such issues it is important that these are identified so they can be addressed.

(c) In the James Weir fire a large amount of very valuable information was on local devices

Following the fire none of this information could be accessed until after the devices were cleaned and this led to long delays in retrieving vital data. Local devices are also easily lost or stolen and of course can fail. For these reasons, wherever possible use should be made of network filestore rather than using storage on the local device.

In relation to network filestore, the University's provisioning has recently taken a step change and so should meet most user/dept requirements. With regard to departments that offer their own networked storage it should be at the very least mirrored between two different buildings. (The University storage offering is mirrored and replicated across two sites and backed up to a third site.)

I would expect a migration away from departmentally hosted storage services in the longer term as the Research Data Management and Sharing Project delivers new tools to access that storage such as Strathcloud.

Every effort should be made to avoid carrying USB data pen drives. If you do, and they contain information that is confidential or commercially sensitive, encrypting them is vital.

(d) Unsurprisingly Disaster Recovery shot up the agenda following the James Weir fire and it was also highlighted as an area to be addressed in the Information Security Audit completed last year

It is important that IT systems on which you depend for your day to day operation have Disaster Recover Plans in place. These are already in place for centrally provided systems like email, central filestore and PEGASUS. However if anyone in your department offers an IT services that performs a critical function for the running of your department and/or faculty it needs to have a Disaster Recovery Plan in place (reviewed annually) and stored on the University's external Sharepoint site.

It is stored externally so that it could still be accessed following a catastrophic event that meant all IT systems were unavailable. Details of how to access this site and a document template have previously been provided to your department IT staff contacts.
If you would like to discuss any of this further feel free to get in touch.

If you want more information on these policies, or help in complying with them, please contact me or Colin Bain.

Many thanks,

Timothy

Timothy Briggs
Research and Teaching Support
Department of Physics, University of Strathclyde, John Anderson Building, 107 Rottenrow, Glasgow G4 0NG
Tel: 0141 548 3376   Fax: 0141 552 2891   Email: mailto:timothy.briggs at strath.ac.uk

The University of Strathclyde is a charitable body, registered in Scotland, number SC015263


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://phys.strath.ac.uk/pipermail/physstaff/attachments/20150303/a7916e55/attachment-0001.html

More information about the Physstaff mailing list