Presentation is loading. Please wait.

Presentation is loading. Please wait.

© University of Reading 2008 www.reading.ac.uk Information Technology Services 23 December 2015 Information Security Policy Mike Roch - Director of IT.

Published byCharity Fields Modified over 8 years ago

Similar presentations

Presentation on theme: "© University of Reading 2008 www.reading.ac.uk Information Technology Services 23 December 2015 Information Security Policy Mike Roch - Director of IT."— Presentation transcript:

1 © University of Reading 2008 www.reading.ac.uk Information Technology Services 23 December 2015 Information Security Policy Mike Roch - Director of IT Services

2 2 Overall Policy Agreed Autumn 2006 – Part of Information Strategy implementation – Defines scope “All information recorded within the scope of University activity is deemed a University record. Therefore staff have a duty to ensure appropriate keeping and/or disposal of all information they create and handle.” – Relationship to sector standards (BS7799/ISO27001:2005) – Governance Information Strategy Cttee responsible for policy devt. University management structures responsible for implementation (cf Health and Safety policies) – Default review cycle 4 years

3 3 Sub- Policies Agreed Autumn 2007 Systems Planning Policy Systems Management Policy Systems Operation Policy Software Management Policy Communications Networks Management Policy

4 4 Information Security Issues C onfidentiality Can only the appropriate people read it? I ntegrity  Is the data all present and correct?  Could it be altered inappropriately? A vailability Can the appropriate people get to it when required?

5 5 Risk Assessment x Student PC x FOCUS x Lab PC x Staff PC x Dept Web Server

6 6 Systems Planning Policy New systems authorised, given competent advice, and information security requirements recognised Info Security risks assessed for new/upgraded software Information assets identified, classified and recorded Adequate capacity, resilience and fault tolerance specfied Adequate physical and environmental security – FMD Appropriate access controls overall and to O/S controls Testing of compliance with all policies before acceptance

7 7 Systems Management Policy Systems to be managed by suitably trained and qualified staff. Training to include information security Appropriate access controls agreed by management and records kept of access granted and revoked Appropriate log on process, accesses logged, logs secured Appropriate time-outs, password management, etc Tight control of who may issue O/S level commands Change management – sanity checking, stake-holder consultation, audit trails, roll-back System clocks, anti-malware, patching

8 8 Systems Operations Policy Information security risks assessed to inform operations procedures Appropriate physical security, environmental protection and access controls ensured Documented operating procedures, developed with information security in mind Appropriate segregation of duties Reporting of security incidents and software malfunction Appropriate separation of development/test systems from live systems

9 9 Software Management Policy Applications to be managed by suitably trained and qualified staff Procurement and implementation of new or upgraded software to follow a formal, documented process Business case for new or upgraded software shall address information security issues Appropriate change control procedures shall apply Interfaces between applications documented and risks identified All software to be checked and tested independently of live systems before implementation/upgrade Mobile code to be especially scrutinised

10 10 Comms Networks Management Policy Single network design authority – currently IT Services University will provide ubiquitous links Managed by suitably trained and qualified staff Designed to provide suitable performance and reliability Access to resources on the network controlled - data network segregated firewalls to protect critical systems Remote access subject to robust authentication and appropriate encryption New/upgraded software subject to change control Suitable protection from physical, environment and technical threats

11 11 Next steps Documentation – Model policies for departments Training – Identification of general needs

Download ppt "© University of Reading 2008 www.reading.ac.uk Information Technology Services 23 December 2015 Information Security Policy Mike Roch - Director of IT."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.

All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Laboratory Personnel Dr/Ehsan Moahmen Rizk.

Laboratory Personnel Dr/Ehsan Moahmen Rizk.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Information Systems Security Officer

Information Systems Security Officer
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.

OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
5.2 Personnel Use competent staff Supervise as necessary

5.2 Personnel Use competent staff Supervise as necessary

Similar presentations

Ads by Google