Information Security Policy - School of Clinical Medicine

Document Control

Revision 1.2, Author: Martin Keen, Date: 22 June 2021

Previous versions

Revision 1.1 Author: Richard Bartlett, Date 31 May 2016 – Addition of Personal and Identifiable data paragraphs to section 5.4
Revision 1.0 Author: Richard Bartlett, Date 19 April 2016 – Approved by Council of School
Revision 0.9 Author: Richard Bartlett, Date 13 April 2016 – IT Committee approved document submitted to Council of School
Revision 0.1 Author: Richard Bartlett, Date 23 March 2016 – Submitted to School IT Committee for approval

Purpose

This ‘top level’ information security policy sets out areas of risk which all School IT Service Providers should review and address, to ensure that appropriate information security policies and procedures are in place across the School.

This policy does not stipulate the content of any policy or procedure, but rather the outcomes which they should deliver. This should provide the School with sufficient assurance that appropriate and effective information security measures are in place, whilst allowing for each institution to take those measures they deem appropriate under their own responsibility.

Scope

Where data is held on systems regarded as Data Safe Havens (e.g., The Secure Data Hosting Service (SDHS)) that are subject to further compliance standards, e.g., NHS Toolkit, ISO:27001, then the legislation and policies of the relevant standard should apply.

Responsibilities

Institutions have a responsibility to put in place appropriate and proportionate measures to comply with the UK and EU data protection legislation, contracts the University has with data providers (e.g., NHS Digital) or the Trust, and research grant provisions. Against that they have to balance their responsibility to facilitate research, teaching, and administration, and uphold the University and School’s core values of freedom of thought and expression.

Users have a responsibility to comply with any policies, procedures or working practices which their Institution puts in place to protect the systems and data under its care.

Requirements

All School IT providers should have policies and procedures to address the following areas of information security risk. Each requirement could be covered by a specific policy, or as one element of a larger policy.

– Acceptable Use

To protect users and data from harm caused by misuse of Institution IT Systems, a definition of acceptable and unacceptable behaviour on the network should be defined in policy. Any local policy should comply with the Rules Made by the Information Services Committee[1], and the terms of the provision of the JANET service[2]. There should be some process through which all users are made aware of this policy, if possible with their explicit acceptance of the policy being recorded.

– Access Control

To ensure that proper care has been taken to protect data and systems, policy elements should define how access to systems and data is granted, monitored and revoked. As far as possible the principle of least privilege should be followed, bearing in mind the relative freedoms required by Academic Research staff in the course of their work.

Due regard should be paid to the Data Protection Act 2018 Principles[3] and any other legislation which may be applicable to the research activity of the institution. It may be appropriate to include information about how unauthorised access is prevented, detected and responded to.

– Authentication

To comply with the most fundamental principles of information security[4], and the Rules made by the Information Services Committee[5], users with access to systems and data should be authenticated. Policy elements should address how users authenticate themselves, and what controls are put in place to manage the risks associated with authentication methods.

Any local policy should define a password policy which addresses the risk of credentials being used by someone other than the intended party (either through being compromised, shared between users, or re-used on non-University systems which are then compromised).

Where appropriate, two factor authentication may also be stipulated in policy to protect data or systems which are particularly sensitive.

– Data Handling

General best practice in handling administrative and research data should be embedded within the conditions of grant funded research, administrative processes or other local guidance. However, the measures which should be taken to protect data being received, captured, created, stored and processed by an institution should be defined.

Appropriate locations should be defined for different categories of data according to their sensitivity and value. The more sensitive or valuable data is the more care should be taken in the way it is handled. Specific attention should be paid to use of portable storage (encrypted and unencrypted), single copy storage on local disk, and central storage.

– Compliance with Legislation

Data which is defined as “sensitive personal data” under Part 1 Section 2 of the Data Protection Act 1998 (incorporating the General Data Protection Regulation (GDPR) (EU) 2016/679) [6] must be only be stored where appropriate protections can be applied (specifically access control, authentication and monitoring and logging), which typically would not include local storage on a PC.

Data defined as “personal confidential data” in Figure 1, Section 6.3 of the Information Governance Review[7] (also referred to as “Patient Identifiable Data” or “Participant Identifiable Data”) must only be stored in accordance with the School’s Information Governance Policy[8].

For more specific information on compliance with legislation, please consult the following:

Data Protection Act, 2018 (incorporating the General Data Protection Regulation (GDPR) (EU) 2016/679)
Section 251 of National Health Service Act 2006
Tort

To also include:

Computer Misuse Act 1990 (relevant to any hacking/misuse)
Prevent duty as part of the Counter Terrorism Act 2012 (relevant to the use of hacked computers for terrorism)
Regulation of Investigative Powers Act 2000 (Right to monitor email, event logs etc in the course of ordinary business where a security breach is suspected)
Copyright, design and patents Act 1988 (copyright of software)
Immigration, Asylum and Nationality Act 2006 (relevant to the controls on screening and employment)
Copyright Act 1956

– Email

Email is a significant source of risk of information security breach, through malware and phishing, and also information leakage through human error, or lack of awareness of appropriate communication methods for different types of data.

Policy elements should address how attachments to emails are handled (both by any systems level protection but also by guidelines for staff), and any restrictions on email including what content can or cannot be sent, or which recipient addresses can or cannot receive certain content.

– Incident Response

A process should be defined which is followed in the event of a security incident. That process should define what triggers incident response, the roles and responsibilities of those involved in incident response, the process for recording, investigating, analysing, mitigating, resolving and preventing incidents, and the reporting which may be required both internally and externally (e.g. compliance with School Incident Management and Reporting Procedures[9] or University Information Services CERT procedures[10]).

– Mobile Computing

With the proliferation of mobile devices (smartphones, tablets and laptops), many of which are not directly managed by Institutions, it is important that the risk these devices may present is assessed, and appropriate controls put in place to prevent data loss, release, or unauthorised access.

Institutions should ensure that any devices connected to their network or the University network are appropriately authorised and authenticated, and that staff are aware of what is and is not appropriate to store (directly or indirectly as contents of email) on their mobile devices. Encryption may be used as a risk reduction measure to allow users flexibility of access whilst protection the Institution’s (and their own) data and privacy.

– Monitoring and Logging

All institutions should monitor and log activity on their network to the extent needed to provide assurance that only authorised persons are accessing the data the Institution is responsible for. However, it is very important that the level of monitoring and logging is proportionate, and all users of Institution systems are informed about what is logged, for what purposes, and how long that data is retained.

An Acceptable Use Policy (see 4.1 above) could contain user facing information about the nature of logging, but a specific policy on what is logged, why, how that data is stored and protected and when it is destroyed is an important protection for the Institution and its staff.

– Remote Access

University staff and students, and researchers in particular, depend upon remote access to Institution systems. That capability expands the systems which connect to the network significantly, and increases the risk of unauthorised network access accordingly. A Remote Access Policy should address that risk, defining the permitted remote access methods, the process through which people are granted remote access, and any measures which are taken to prevent unauthorised access.

Management

All Institutions under the School should confirm that they have put in place measures to comply with this School Information Security Policy, and should submit those documents to the School IT Committee as evidence to support that assurance.

Where policies and procedures do not already exist sample templates can be provided, and the School IT Committee may call upon expertise within the School or the University to assist Institutions in developing the necessary policy framework.

It is desirable that policy within the different School Institutions converges over time to reduce the burden of administration, facilitate collaboration between Institutions, and improve the efficacy of governance in this area overall.

[1] https://help.uis.cam.ac.uk/policies/governance-and-policy-documents

[2] https://community.jisc.ac.uk/library/janet-policies/terms-provision-janet-service

[3] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-law-enforcement-processing/principles/

[4] http://systems.hscic.gov.uk/infogov/security

[5] https://help.uis.cam.ac.uk/policies/governance-and-policy-documents

[6] http://www.legislation.gov.uk/ukpga/1998/29/section/2

[7] https://www.gov.uk/government/publications/the-information-governance-review

[8] https://www.medschl.cam.ac.uk/research/information-governance/information-governance-policy/

[9] https://researchgovernance.medschl.cam.ac.uk/information-governance-storage-of-research-participant-data/incident-management-and-reporting-procedures/

[10] https://help.uis.cam.ac.uk/service/security/csirt