TRAK will be undertaking research, scholarship and learning and is heavily dependent on using information in whatever form and wherever it exists. Because of its importance, we recognise that this organisation must protect its information assets. We will do this in ways that are appropriate and cost effective. This will help safeguard adherence to the General Data Protection Regulation 2016/679 and maintain our good reputation for security.
Our ability to exploit and gain advantage from information will enable us to maintain and improve our reputation and ensure that we meet our strategic goals. This policy will therefore support and strengthen the implementation of our Information Strategy.
2. SECURITY OBJECTIVE
Our security objective is to protect TRAK from security problems that might have an adverse impact on our operations and professional standing.
Security problems can include confidentiality (the wrong people obtaining information), integrity (information being altered without permission, whether deliberate or accidental) and availability (information not being available when it is required). The widest possible definition of security will be used to include all types of incident that impact the effective use of information. This includes performance, consistency, reliability, accuracy and timeliness.
We will use the Organisation for Economic Co-operation and Development (OECD) Guidelines for the Security of Information Systems and Networks, Towards a Culture of Security upon which BS7799, Code of Practice for Information Security Management are based as a framework for guiding our approach to managing security.
We will use all reasonable, appropriate, practical and effective security measures to protect our important processes and assets in order to achieve our security objectives.
We will continually examine ways in which we can improve our use of security measures to protect and enhance our business.
As a responsible organisation, TRAK will protect and manage our information assets to enable us to meet our contractual, legislative, privacy and ethical responsibilities.
As a centre of research and scholarship, we will ensure that our data are held safely so that their continued validity is not questioned.
Everyone within TRAK or who uses our information will be responsible for protecting our information assets, systems and infrastructure. They will, at all times, act in a responsible, professional and security-aware way, according to the principles in this Policy.
Everyone will protect information assets that are entrusted to them, whether such protection is required contractually, legally, ethically or just out of respect for other individuals or organisations.
We recognise the right to academic and individual freedom, but freedom also requires responsibilities. An individual may not put the intellectual and information assets of others at risk through carelessness or selfishness.
All those associated with TRAK are responsible for identifying security shortfalls in our existing practices and/or improvements that could be made.
All members of TRAK expected actively to coach and encourage best practice amongst colleagues.
The chief information office (CIO) is responsible and accountable for ensuring that our security objective is achieved.
The CIO is responsible for allocating sufficient resources to allow TRAK to realistically achieve its security objectives. This includes people, time, equipment, software, education and access to external sources of information and knowledge.
Any breaches, or suspected breaches of the GDPR will be reported to the Information Commissioner whether caused by members of TRAK or other external organisations. Any remedies suggested by the Commissioner should be implemented immediately (if not already actioned).
Using risk analysis techniques, we will identify our security risks and their relative priorities, responding to them promptly and confidently, implementing safeguards that are appropriate, effective, culturally acceptable and practical.
To promote better sharing and exploitation of information, all members of TRAK will have free access to internal information, including details of security measures employed, unless there is a clear need to restrict their access eg where restricted data has been provided by an organisation such as the National Pupil Database.
All members of TRAK will be accountable for their actions and all actions will be attributable to an identified individual through use of password protected accounts on the organisation website.
All information (including third party information) will be protected by safeguards and handling rules appropriate to its sensitivity and criticality.
Information held by TRAK will only be disclosed to third parties when their need to know it has been consciously assessed and with clear undertakings on its subsequent use. Information owners will be responsible for identifying to whom their information may be released and on what terms. Research and scholarship information has important intellectual property rights; disclosure of personal information is subject to law.
TRAK will ensure that actual or suspected security incidents relating to ICT systems will be reported promptly to the CIO who will ensure that the incident is managed to closure, and analyse it for lessons to be learnt. Documented Procedures and Standards, education and training, will supplement these Principles.
Compliance with the Policy will be monitored on a regular basis by Internal Audit.
3.4 Security Policy Review
The CIO owns this Policy and is committed to the implementation of it. He will facilitate an annual review of it by the Business Strategy Group. The policy will be reviewed for completeness, effectiveness and usability. Effectiveness will be measured by TRAK’s ability to avoid security incidents and minimise resulting impacts, together with a process for benchmarking security maturity with other similar establishments.
3.5 Policy Awareness
The CIO will send an electronic copy of this policy to each new member joining TRAK and keep the current edition readily available on the TRAK’s Intranet server. Following each review, the online document will be updated and copies sent to all members.
3.6 Applicability and Enforcement
This Policy applies to all members of TRAK who administer the website.
Failure to comply with the Security Policy could damage the image of TRAK.
Last updated 21 April 2018 to reflect change in UK legislation (GDPR)