Brasenose College Information Security Policy (ISP v1.7)

Brasenose College Information Security Policy (ISP v1.7)

Brasenose College seeks to maintain the confidentiality, integrity and availability of information about its staff, students, visitors, alumni and its affairs generally. The College recognises the importance of preserving its reputation and that of Oxford University. Compliance with legal and regulatory requirements relating to information security is fundamental.

This policy defines the framework for managing information security across the College. It demonstrates management direction and support for information security and outlines measures to prevent unauthorised access or data loss.

• Treat information security seriously.
• Maintain awareness of security issues.
• Adhere to applicable policies and guidance.

The policy applies to all College information and operational activities, including:

• Records concerning pupils, students, alumni, staff, visitors, conference guests, and external contractors.
• Operational plans, accounting records, and minutes.
• All facilities used to store, process and transmit information.
• Any data identifying a person (e.g. names and addresses).

It applies to all staff, students, Fellows, lecturers, members of JCR/HCR and other officers. All must be familiar with this and supporting policies.

Brasenose College aims, as far as reasonably practicable, to:

• Protect the confidentiality, integrity and availability of all data held in systems.
• Meet legislative and contractual obligations.
• Protect the College’s intellectual property.
• Maintain business continuity plans for data backup and recovery.
• Prohibit unauthorised use of College information and systems.
• Provide information security training appropriate to each role.
• Report any actual or suspected security breaches to the Data Protection Officer within 24 hours.

1. Security control depends on information sensitivity. Risk assessment determines the appropriate security level.
2. Identify information assets, assign ownership, classify by sensitivity and criticality.
3. Label and handle data according to classification.
4. Document acceptable use rules and implement controls.
5. Review risks periodically and when infrastructure changes.
6. Handle personal data in accordance with GDPR and this policy.
7. Apply higher security to ‘special category’ data such as race, religion, health, biometrics, sexual orientation or political views.

• The Governing Body establishes and reviews the Information Security framework.
• Department heads ensure suitable security controls are implemented for data in their areas.
• The Data Protection Officer (DPO) oversees the policy, data breach responses, and subject access requests.
• The ICT Manager supports the DPO by managing day-to-day security and maintaining this policy.

Failure to follow this policy may result in disciplinary action or fines under the GDPR (up to €20 million or 4% of annual turnover for serious infringements).

• Information assets are owned by named College sections. A list is maintained by the DPO.
• Access is restricted to authorised users through physical and logical controls (locks, encryption, clean-desk practices).
• Logical controls include strong passphrases (min. 14 characters), changed regularly, never shared or emailed.
• Privileges granted only as needed for job duties.
• Access logs retained for at least six months.
• ICT staff review permissions biannually.
• Leavers must return College assets and access must be revoked promptly.
• Domain administrator privileges restricted and approved by DPO after risk assessment.
• Visitors use temporary credentials, disabled at end of visit.
• Internal sensitive documents shared via encrypted email.
• Suppliers and contractors accessing College data must comply with the Supplier Information Security Policy and may require a Third Party Security Assessment (TPSA).
• Use of cloud services must follow the Cloud/Third Party Services Code of Practice (Annex Two).

• All College-provided devices must be fully encrypted before use.
• Personal devices accessing College data must be password protected and, where possible, encrypted.
• Privately owned devices must have up-to-date antivirus, security patches, and OS updates.
• Non-encrypted removable storage must not hold College personal data unless explicitly approved following risk assessment.
• Personal devices used for email must support secure configurations and remote-wipe capabilities.
• The College may block access to its data if this policy is breached.

• All servers must be managed by the ICT Department unless approved otherwise by the DPO.
• Servers must be in access-controlled and temperature-controlled rooms.
• Backups must be encrypted and stored offsite.
• Servers must be registered with ICT staff and have documented contacts and system details.

The ICT team manages network security by maintaining logs, using firewalls, and monitoring for intrusions and unauthorised access. Network activity logs should be retained for at least 60 days and include timestamps, MAC and IP addresses, and usernames.

• Email use is governed by University ICTC Regulations (2002).
• Virus warnings must be checked by ICT before forwarding.
• Email groups are for work purposes only; personal advertising is prohibited.

• Only properly licensed software may be used on College systems.
• Users must not copy or install unapproved software.
• ICT maintains a software register with licence information.
• Licensed software must be removed before disposal.

• Lock away confidential data when unattended.
• Use confidential waste bins for disposal.
• Retrieve documents immediately from printers/copiers.
• Computers must auto-lock after 10 minutes.
• Secure laptops, phones, and portable devices when unattended.

• Define backup schedules based on data criticality.
• ICT is responsible for ensuring backups are maintained and tested.
• Backups stored securely offsite; regularly tested for reliability.

All data must be securely destroyed before disposal. Hard drives must be wiped or physically destroyed. Disposal should comply with University and WEEE directives. Hazardous waste handled via ICT Manager.

• Personal data breaches must be reported to the Information Commissioner’s Office (ICO) within 72 hours.
• Breaches include theft, unauthorised access, human error, equipment failure, hacking or deception (“blagging”).
• All incidents must be reported under the College’s Data Protection Breach Policy (Annex 1).

Policy Statement

Brasenose College holds large amounts of personal and “special category” data. Every care is taken to protect such data and to avoid breaches. In the unlikely event of loss or unauthorised disclosure, prompt action must be taken to minimise risk.

Purpose

This procedure applies to all College staff and sets out the steps to follow if a data-protection breach occurs.

Scope

Applies to all personal and special-category data held by Brasenose College.

Types of Breach

• Loss or theft of data or equipment.
• Inappropriate access controls.
• Equipment failure or human error.
• Fire, flood or other unforeseen events.
• Hacking or deception (“blagging”).

Reporting a Breach

Anyone discovering or suspecting a breach must inform their line manager and the ICT Manager / Infrastructure Officer immediately. The College must report qualifying breaches to the ICO within 72 hours.

Immediate Containment / Recovery

1. Stop the breach if still occurring and take steps to contain it (e.g. shut systems down).
2. Inform the Data Protection Officer (DPO) as soon as possible – normally the Bursar (or, in absence, the ICT Manager or Domestic Bursar).
3. Consider whether the police need to be informed if illegal activity is suspected.
4. Take immediate recovery steps – recover equipment, alert affected individuals and departments, restore back-ups, change passwords, contact banks if necessary.

Investigation and Notification

The DPO will ensure a full investigation is conducted (with ICT and line management). The College must record all breaches and notify the ICO and affected individuals if their rights or freedoms are at risk. Investigations should be completed urgently – ideally within 24 hours of discovery.

Review and Evaluation

After containment, the DPO must review the cause and response effectiveness and report to the relevant governance committee. If systemic issues are found, create an action plan to correct them. This policy should be reviewed annually or after legislative change.

Useful Contacts

• Data Protection Officer – data.protection@bnc.ox.ac.uk
• ICT Department – 01865 277513 | computer.office@bnc.ox.ac.uk
• ICT Manager – 01865 615902 | john.kinsey@bnc.ox.ac.uk

Purpose and Scope

This code defines roles, responsibilities and approved services for processing College data through cloud or third-party providers. It applies to all staff and students using such services for College information.

Responsibilities

• All users are responsible for data they handle via cloud or third-party systems.
• The ICT Manager implements this policy and assesses third-party assurance.
• The DPO develops and monitors the policy’s effectiveness.

Approved Services and Principles

• Use only approved services with legal agreements in place between the College and provider.
• Approved cloud services: Microsoft OneDrive & Office 365; Google Docs / Drive / Apps; Uniware Solutions Cloud EPOS; Apple iCloud & iDisk.
• Sharing credentials between College and personal devices is forbidden unless devices meet College security standards and two-factor authentication is enabled.
• Cloud services must not be used for “special category” data unless contracts guarantee strong encryption and security controls.
• Personal cloud accounts must not store College data or transfer ownership of College information.
• Pay particular attention to GDPR Principle 8 (transfer of data outside the EEA).

Service Provider Risk and Contracts

• Assess security, data management, retention and exit conditions before use.
• All legal agreements must be approved by the College Bursar.

Compliance

• Annual contract and policy reviews are required.
• At least one spot-check for policy compliance will be conducted each year.

Introduction and Purpose

Brasenose College relies on IT services from third-party suppliers. This policy ensures contracts maintain data protection and information security standards required under GDPR and the Data Protection Act.

Scope

Applies to all contracts and partnership arrangements involving IT solutions or services requiring access to personal data (e.g. payroll, student records, mailing houses etc.).

Policy Statement and Obligations

• All third parties processing College data must complete a Third Party Security Assessment (TPSA) before contract award.
• Suppliers must meet minimum data-protection requirements (Appendix A). Failure may be a material breach and grounds for termination.
• Contracts must clearly define data protection responsibilities, processing scope, data types and rights of each party.
• Sub-contractors must meet the same standards and be listed in the TPSA.
• Third parties may access College information only where formally authorised and documented in contracts or sharing agreements.
• External access must be monitored and disabled when no longer required.
• Sale of College data by suppliers is strictly prohibited.

Security Incident Management and Breaches

• Suppliers must have incident-management procedures and notify the College within 24 hours of any significant incident.
• Personal data breaches must be reported to the College immediately so the ICO can be notified within 72 hours if necessary.
• Non-compliance may lead to termination of contracts and legal action.

This appendix outlines minimum data-protection and information-security standards expected from suppliers and partners handling College information.

1. Paper Records and Confidentiality

• Paper records must be locked away at the end of each day.
• Keys or access tokens should only be issued to those who require them.
• Confidential records must be securely destroyed when no longer needed.
• Printers and faxes for confidential data should be restricted to authorised staff.
• Confidential documents must not be left on printers or copiers.

2. Electronic Records and Confidentiality

• Electronic documents must be encrypted with a minimum 14-character password.
• Fax should be used only where no secure alternative exists.
• Access credentials must not be sent by SMS, text or instant message.
• Any loss or unauthorised disclosure of College data must be reported within 24 hours.

3. IT Equipment and Confidentiality

• Laptops, USBs and other devices containing College data must be locked away when not in use.
• All devices must have up-to-date anti-virus software with automatic updates enabled.
• Operating-system and software security patches must be applied promptly.
• Mobile devices must be PIN-protected and encrypted where possible.
• Old devices must be disposed of securely to destroy data on hard drives.
• Anyone with access to College data must take reasonable steps to avoid accidental or intentional disclosure.

Brasenose College ICT Office – Contact: computer.office@bnc.ox.ac.uk | Tel +44 (0)1865 277513 | www.bnc.ox.ac.uk