Brasenose College Information Security Policy (ISP v1.8) & Annexes

Brasenose College seeks to maintain the appropriate level of confidentiality, integrity, and availability (CIA) of all the information it owns or processes. Compliance with legal and regulatory requirements with respect to this Information is fundamental.

This information security policy defines the framework within which information security will be managed by the College to keep information appropriately secure, accurate and available.

In support of this objective all users of data assets, whether they are manual or electronic, have roles and responsibilities in ensuring information is protected by:

• Treating information security seriously
• Maintaining an awareness of security issues
• Adhering to applicable security policies / following applicable guidance
• Reporting issues and incidents as they arise to either a line manager or the data protection team (data.protection@bnc.ox.ac.uk).

Sensitive Information relating to living individuals (such as may be found in Personnel, Payroll, Alumni and Student Record Systems) should only be stored in the appropriate secure systems and is subject to legal protection. All users of the ICT system are obliged, under the terms of the UK Data Protection Act (2018), to ensure the appropriate security measures are in place to prevent any unauthorised access to personal data, whether this is on a workstation or on paper.

The scope of this Information Security Policy extends to all Brasenose College’s information and its operational activities including but not limited to:

• Records held by the College relating to any individual.
• Operational plans, accounting records, and minutes.
• All processing facilities used in support of the College’s operational activities to store, process and transmit information.
• Any additional information that can indirectly identify a person, e.g. photography or IP addresses.

This policy covers all data access and processing pertaining to the College, and all staff and other persons (including students, Fellows, Lecturers, JCR/HCR members, relevant contractors, and other officers of the college not already part of these groups) must be familiar with this policy and any supporting guidance. Any reference to staff shall be regarded as relating to permanent, temporary, contract, and other support staff as applicable.

Brasenose College aims, as far as reasonably practicable, to:

• Protect the confidentiality, integrity, and availability (CIA) of all data it holds in systems. This includes the protection of any device that can carry or access College data, as well as protecting physical paper copies of data wherever possible (e.g. clean desk policies).
• Meet legislative and contractual obligations.
• Protect the College’s intellectual property rights.
• Produce, maintain, and test business continuity plans so that the College can continue to operate if employees and members are not able to access systems due to IT problems or loss of loss physical access.
• Prohibit unauthorised use of the College’s information and systems.
• Communicate this and other related Information Security Policies to all persons processing or handling college data.
• Provide information security training to all persons appropriate to their role.
• Report any breaches of information security, actual or suspected to the Data Protection Officer (DPO) as soon as they occur or are observed.

More detailed policy statements and guidance are provided in Section 7 of this Policy.

5.1 The degree of security control required depends on the sensitivity or criticality of the information. The first step in determining the appropriate level of security is a process of risk assessment to identify and classify the nature of the information held, the adverse consequences of security breaches and the likelihood of those consequences occurring.

5.2 The risk assessment should identify Brasenose College’s information assets; define the ownership of those assets; and classify them, according to their sensitivity and/or criticality to the College or University as a whole. In assessing risk, the College should consider the value of the asset, the threats to that asset and its vulnerability.

5.3 Where appropriate, information assets should be labelled and handled in accordance with their criticality and sensitivity.

5.4 Rules for the acceptable use of information assets should be identified, documented, and implemented. The College has a Data Classification & Handling Scheme that all college members should be aware of. It can be found within the College’s GDPR Framework documentation found here: https://www.bnc.ox.ac.uk/privacypolicies

5.5 Data Protection Impact Assessments (DPIAs) must be completed before any new (or planned significant change to existing) data processing activities commence that could result in a higher risk to either data subjects or college sensitive data.

5.6 Personal data must be handled in accordance with the UK Data Protection Act (2018) and in accordance with this policy.

5.7 The UK Data Protection Act (2018) requires that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

5.8 A higher level of security should be provided for ‘special category data’, which is defined in the UK Data Protection Act (2018) as data relating to race, ethnic origin, religion, genetics, biometrics (where used for ID purposes), health, sexual life, sexual orientation, politics, or trade union membership.

The Governing Body is responsible for ensuring an appropriate and effective Information Security framework is in place. This responsibility extends to the facilitation and encouragement of healthy organisation wide cultures and values that support safe and supportive environments for the reporting of issues, concerns, and breaches.

Governing Body requires all system owners and process owners to be accountable for implementing an appropriate level of security control for the system & information held and processed by their systems and processes. Any reviews or amendments to systems or process should include a review of the information handling implications by appropriately qualified members of staff.

Each person is accountable to the system or process owner for operating an appropriate level of security control over the information and systems they use to perform their duties.

The Data Protection Officer is responsible for overseeing and reviewing the College’s obligations and ensuring compliance with all relevant data protection / information security legislation, and approving all subject access requests and responses to data breaches.

The IT Director is responsible for ensuring the College prepares appropriate information security policies, reviewing / monitoring whether they are being followed, and as a first responder to information security incidents.

The IT Director also assists the DPO by coordinating the day-to-day management of information security, logging of incidents, maintaining this Information Security Policy as well as the college’s data protection framework documents e.g. Privacy notices and ROPAs) and providing advice and guidance on its implementation and training.

It is noted that failure to adhere to this Policy may result in the College suffering financial loss (arising both as fines imposed by the Information Commissioner’s Office and by way of damages sought by an individual whose data has been inappropriately handled), operational incapacity, and loss of reputation. Data access or processing that fails to observe the provisions of this policy may result in disciplinary action, but the College also recognises the importance of transparency and openness, and the avoidance of a “blame culture”. The College therefore encourages its members to be open about concerns and such openness will reduce the likelihood of disciplinary action; conversely secrecy about mistakes or concerns will increase the likelihood of disciplinary action.

7.1.1 Information assets shall be owned by a named section within college. A list of information assets, and their owners, shall be maintained by the DPO.

7.1.2 Access to Brasenose information shall be restricted to authorised users and shall be protected by appropriate practical physical and/or logical controls.

Physical controls for information and information processing assets shall include:

• Locked storage facilities (supported by effective management of keys)
• Locks on rooms which contain computer facilities. Electronic locks should have their database systems reviewed at frequent intervals to ensure user access control is up to date.
• PCs and other devices in lockable areas. Exits covered by CCTV.
• “Clean desk” policies.
• Effective encryption of data either transmitted or taken outside College’s properties.

Logical controls for Brasenose information and information processing assets shall include passphrases for systems access. Where systematically possible, multifactor authentication should be enforced. It should be noted that the University SSO (Microsoft) identity has multi-factor authentication built in & should be the identity management tool of choice for accessing web-based systems where it is technically possible to do so. Future system developments should look to utilise this credential.

Passphrases shall follow good security practices and use the following techniques:

• All administrator level passphrases (e.g., root, enable, admin, application administration accounts, etc.) should be changed regularly. Root / system administrative level passphrases should be changed on at least a yearly basis.
• The use of strong authentication (minimum 16-character length, non-reusable passphrases) will be used when accessing Brasenose information.
• Users should have the ability to change their passphrases at any time.
• Permanent Passphrases protecting Brasenose information or systems must not be inserted into email messages, electronic or physical letters. One-time temporary passphrases or codes may be sent by MS Teams or to a personal University Nexus365 email account.
• Any exception to these provisions must be subject to a specific risk assessment and is only permitted where approval is given by the IT Director.
• Each user of any ICT system that stores, accesses or processes Brasenose Information is responsible for the security of their own passphrase and maintenance of any multi-factor authentication tools.
• Access privileges to specific systems shall be allocated based on the minimum privileges required to fulfil that member of staff’s duties. Access privileges shall be authorised by the appropriate manager or system owner.
• All shared computer systems will require users to authenticate before use (unless authenticated network access controls are already in place) and will enable activities to be traced to an authenticated user.
• To allow for potential investigations, network logs should be kept in the University SAVANT cloud & for a minimum of six months, or for longer, where considered appropriate.

External access to the College’s administered networks and systems.

• College ICT staff shall review all external access permissions on a biannual basis.
• Access to physical information assets – for example printed paper documents, and media containing information – shall be governed as appropriate by the same principles as above.
• Appropriate processes shall be in place to ensure that all employees, contractors and third-party users have information and physical access permissions granted expediently on joining the organisation, are held only for as long as that person is affiliated with the College, and are revoked immediately when they leave the College. Further those leaving the College must return all information assets in their possession upon termination of their employment, contract or agreement. Department heads or other relevant roles are responsible for completing leavers’ checklists and communicating leavers actions to the IT team.
• Most circumstances under which the College may monitor use of its ICT systems and the levels of authorisation required for this to be done form part of the University’s “Regulations Relating to the Use of Information Technology Facilities”.
• Domain administrator privileges – those that can override system and application controls on multiple devices and services college wide – shall be restricted to those persons who are authorised by the IT Director and on a named basis (i.e. no shared identities are permitted).
• Visitors to the College should be provided with specifically assigned credentials and should be appropriately authenticated and automatically disabled at the end of their term with the College.
• All internal electronic documents that contain personal or sensitive information should be internally distributed via a permission-based share-link as opposed to actual copies of the file distributed by email.
• All suppliers or contractors that access or process Brasenose College information must either demonstrate suitable information security standards (as defined in points A, B, C & D below) or agree by contract to process information in accordance with this policy and other relevant policies.
• A. Actively certified to information security standard IS027001.
• B. If a Cloud service provider, additionally certified to cloud information security standard ISO27017.
• C. Data is processed, accessed, and backed up solely inside the UK or within the European Economic Area (EEA).
• D. The Data Protection Officer is satisfied that any stipulated maximum financial liabilities with regards data protection in the supplier engagement contract is within the college’s risk tolerance.

Any required Third-Party Supplier Assessments (TPSA) are managed by the College ICT team.

• The use of approved third-party cloud services for the storage, processing or handling of college data must follow the College’s Cloud/3rd Party Services – Code of Practice policy laid out in Annex 2. If a cloud service provider or third party is not on the approved Cloud / third party list (Appendix 2), then members of college must not use that provider to process college information.
• No third-party supplier or service provider should be engaged to process college information without permission of the DPO.

• The college must ensure all devices provided for the purposes of processing or storing college data are fully encrypted before deployment and that users are aware of this policy.
• The College recognises that there may be occasions when college members need to use their own computing equipment to access information (including personal data and emails). Users should ensure their devices are:
  • Protected with a suitable strong passphrase (minimum 16 character) or biometric feature.
  • Running an in-support operating system that is patched to the latest version.
  • Protected (where possible) with active and up to date anti-virus.
  • Encrypted.
  • Utilise either University or Brasenose VPN services to enable encryption of traffic over unsecured networks.
• The DPO or ICT Director reserve the right to revoke access to systems or information on personal devices where data contained/transmitted is deemed sensitive and the personal device is not suitably secure.
• It is required that:
• If the DPO allows College information containing personal data to be saved onto non-encrypted removable storage, it shall be encrypted before being transferred to the storage device. A Risk Assessment is to be carried out before this occurs.
• Brasenose College information shall not be retained on removable storage devices longer than necessary (i.e. once information that has been updated on a computer owned by a member of staff, or on a server has been archived / backed up, the information should be securely deleted from the removable storage device).
• The use of personal devices to access emails is permissible but, in the case of college non-academic staff, line managers reserve the right to revoke such permission. It is advised that users consider separating work and personal email accounts.
• Users should understand that if they setup their university email address on personal devices, there is a remote wipe feature that can be activated by college IT staff that could potentially remove data stored on the personal device (if the device has been compromised).
• The College reserves the right to stop transmission or access to any of the data it owns if this policy is not followed.

This policy applies to server & network equipment owned and/or operated by Brasenose College. No server grade or capable services should be run on the College’s internal networks without authorisation by the IT Director or Infrastructure Manager.

• All servers must be physically located in an access and environment-controlled rooms.
• Servers should be backed up incrementally to at least one alternative physical site. Backups should be encrypted. In addition to standard incremental backups, all college servers must have an automated snapshot feature to enable restoration in the event of compromise.
• The university information security baseline assessment lists all the technical controls that should be applied (where appropriate) across the whole college IT estate. These controls, listed in annex 4, are maintained by the University IT services.

Responsibility for management and security of the College’s internal network rests with the Infrastructure Manager and IT Director. These responsibilities extend to:

• Ensuring all ICT Staff [network administrators] are suitably trained in modern network architecture, security methods and the ICT staff policy and procedures manual is kept up to date.
• Network Logs are kept in accordance with the University OxCert technical policies.
• Protect the network and the information transmitted across it. The university information security baseline assessment lists all the technical controls that should be applied (where appropriate) across the whole college IT estate. These controls, listed in annex 4, are maintained by the University IT services.
• Restrict unauthorised traffic using firewalls or equivalent devices.
• Regularly review and maintain network security controls and device configurations.
• Identify security features, service levels and management requirements and include them in any network service agreements whether they be in-house or outsourced.
• Use secure network connections for making any transfers of non-public information.

All College’s networks must be monitored at all times. Monitoring must detect and log at least the following activities, as comprehensively as reasonably possible:

• Unauthorised access attempts on firewalls, systems, and network devices (only authorised systems and users should have access to the network)
• Port scanning
• System intrusion originating from a protected system behind a firewall.
• System intrusion originating from outside the firewall.
• Network intrusion.
• Denial of services
• Any other relevant security events
• Login and log-off activities

All network activity should be logged in accordance with OxCert policy & exported to the University cloud SAVANT service. It is currently recommended that at least 60 days of logs be kept, and longer where appropriate.

Policy for the use of electronic mail is covered by the University’s ICTC regulations of 2002 (with subsequent amendments) and available at https://governance.admin.ox.ac.uk/legislation/it-regulations

• College’s policy and procedure on staff use of email and the Internet should be included in the Staff Handbook.
• Mass mailing functionality provided by the College is for work-related information only. This therefore excludes the use of the email system for personal business.

• College will provide appropriately licensed and authentic installations of software or cloud service access to all users who need it and will ensure the necessary authorisation has been obtained from the respective publisher or developer.
• Users of College computer equipment and software shall not copy software or load unauthorised/unapproved software onto a College device (including mobile equipment). The ICT Director (or Infrastructure Manager) may make exceptions on a case-by-case basis after the software has been reviewed by ICT staff.
• College’s software shall not be given to any external contacts, including alumni/students, without express permission of the IT Director.
• Licensed software shall be removed from any computer that is to be disposed of outside of the College.

7.6.5 Any further software usage policies should be included in the Staff Handbook.

• Outside normal working hours, all confidential information, whether marked up as such or not, shall be secured; this may include within a locked office or in a locked desk. ‘Home offices’ must employ the same standards as if working within College premises.
• Confidential printed information to be discarded shall be placed in an approved confidential waste container as soon as reasonably practical or kept secure until that time.
• Documents shall be immediately retrieved from communal printers, photocopiers, and fax machines.
• All desktop computers must be logged off or locked automatically after 10 minutes (unless required to remain on for operational purposes) to ensure that unattended computer systems do not become a means of unauthorised access to information.
• Unattended laptop computers, mobile telephones and other portable assets and keys shall be secured e.g. in a locked office, within a lockable desk, or by a lockable cable.
• Those in charge of meetings shall ensure that no confidential information is left in the room at the end of the meeting. In the case of virtual meetings, organisers must ensure ‘meeting chats’ (if used) are saved appropriately.
• The College shall ensure that members of staff have suitable storage facilities to enable them to comply with this Policy.

• The requirements for backing up information shall be defined based upon how often it changes and the ease with which lost data can be recovered and re-entered.
• The ICT staff shall be responsible for ensuring that systems and information are backed up in accordance with the defined requirements.
• Backup copies of information and software shall be checked regularly and be stored securely at least once a week at a geographically separate location in the event of a disaster at the main site.
• All backup information should be encrypted.
• The backup media shall be given a level of security and physical protection equivalent to the data.
• Backup logs shall be kept of all backup activity to act as evidence of adherence to the policy.
• The restoration procedures shall be tested periodically to ensure that they are effective and that they can be completed within the time allocated in the operational procedures.

Data security of the IT equipment to be disposed of or re-provisioned will be managed by the IT department.

• All College owned or managed data on IT equipment must be destroyed prior to disposal or re-provisioning of such equipment. This destruction will be irreversible, beyond recovery by all but forensic recovery methods, e.g. data on hard drives that are to be removed from service or disposed of must be securely erased. The data must be overwritten via multiple pass wiping software or by secure physical destruction of the device.
• Any equipment disposal relating to a data breach must be recorded on the Data Breach Log.
• All methods of data destruction must comply with standards such as US DOD 5220.22-M National Industrial Security Program Operating Manual (NISPOM), Chapter 8, Section 8-301 et seq. and the UK National Cyber Security Centre (NCSC) technical guide or its successors.
• Mobile devices shall be appropriately sanitised using the manufacturer’s “reset to factory defaults” feature (ensuring that encryption keys are cleared), or physical destruction of the device where that is not available.

A data breach can be defined as a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorised to do so. It may involve personal data, sensitive personal data, protected data or commercially sensitive data. Examples might include:

• Loss or theft of data or equipment on which the College’s data is stored (laptop, CD, USB stick)
• Inappropriate access controls allowing unauthorised use
• Transferring data to incorrect recipients (by email, post or fax)
• Deliberate or inadvertent action (or inaction) by a person / member of staff
• Verbal disclosures
• Publishing data on the internet
• Hacking, “blagging” or other forms of social engineering or other deliberate attacks

On discovering or being informed of a breach or suspected breach all members of college must immediately inform the DPO or IT Director by email.

Anyone with concerns about the security or propriety of the sharing of data / information should in the first instance speak with their line manager, fellow, or the Data Protection Officer (data.protection@bnc.ox.ac.uk).

The Data Protection Officer, in conjunction with the Bursar and the IT Director, shall upon notification of a breach

• Gather the key facts around the breach, including notifying the Principal who shall decide on further governance, if the matter is deemed sufficiently serious.
• Establish any immediate steps that are necessary to limit or remedy the breach including advice on any measures that need to be taken locally.
• Liaise with data subjects and/or other authorities as appropriate.
• Establish whether and what data must be notified to the Information Commissioner.
• Ensure lessons learnt from a breach are used to review current guidance and standards.

The Bursar is the College’s SIRO (Senior Information Risk Owner) and is responsible for ensuring that the College identifies and addresses risks relating to information security and information governance.

Governance of the College’s data protection framework is via quarterly reviews at the Senior Management Team (SMT) meeting.

All Brasenose users shall adhere to this policy and may be subject to the College’s disciplinary procedures for non-compliance.

The College will not pay ransoms to criminal organisations in the event of ransomware or threats to release or publish College data. The College will protect data in accordance with best practice; however, the College does not give in to extortion.

The College maintains official social media accounts on behalf of the JCR, HCR, Development Office, and outward facing College accounts, and any person responsible for posting material on official College social media accounts is responsible for ensuring that:

• They do not publish material which is defamatory or which contains a direct attack on an individual or organisation.
• They always respect copyright.
• Any material posted meets standards of decency, language, and appropriateness suitable for a general, adult audience.
• Posts do not endorse or criticise political parties, causes or candidates.
• Messages are appropriate in content and tone for the audience.
• No personal information about any person is published, without that person’s consent (which must be in writing for sensitive information).
• Be mindful that their post does not risk bringing the College into disrepute.

BRASENOSE DATA PROTECTION BREACH POLICY

Policy Statement

This policy applies to all users of the College’s systems and applies to all aspects of data handling.

Purpose

This Policy describes how Data Protection and Information Security breaches must be reported, investigated and managed in order to reduce the impact on the College and data subjects.

The College recognises that members of staff will wish to raise concerns and therefore the College will treat all breaches seriously whether they are minor or major. The College does not operate a ‘blame culture’. The College encourages staff to report accidents and breaches promptly to reduce the risk and impact of the breach. In the vast majority of cases, transparency and openness will avoid any disciplinary action.

Scope

Breaches of this policy and/or security incidents can be defined as events which could have, or have resulted in, loss or damage to college information assets, or an event which is in breach of the College’s security procedures and policies. All third-party suppliers contracted to provide, support or access solutions, which enable the College to carry out its business functions and deliver its services, have a responsibility to adhere to this policy and all supporting requirements as described and referenced within formal documentation and agreed contractual agreements.

All employees have a responsibility to report security incidents and breaches of this policy within 24 hours of becoming aware of the incident through the College’s Data Breach Reporting Procedure.

In the case of third-party vendors, consultants or contractors, non-compliance could result in the immediate removal of access to IT solutions or suspension/ termination of contractual arrangements. If damage or compromise of the College’s IT solutions or loss of information results from the non-compliance, the College will consider legal action against the third party. The College will take appropriate measures to remedy any breach of this policy and its associated procedures and guidelines through the relevant contractual arrangements in place or otherwise via statutory processes. In the case of an employee, infringements will be investigated under the College’s disciplinary procedure and progressed as appropriate.

Reporting a Breach (or Suspected Breach)

Anyone who suspects or has become aware of a breach in the College’s procedures or a breach of the college data must report this to the Data Protection Officer or IT Director immediately, or within 24 hours of the discovery.

Immediate Containment/Recovery

Depending on the breach, immediate actions by the local staff and managers to limit the damage or otherwise recover may be required. This may include:

• Containing / restricting the accidental or inappropriate disclosure of data.
• Recovering lost or stolen equipment / media.
• Implementing the College’s business continuity arrangements.
• Stopping an unauthorised practice.
• Recovering the data concerned.
• Correcting weaknesses in physical or technical security.

The IT Director, in conjunction with the DPO, will coordinate immediate actions to limit the potential damage and to recover any data, and will appraise Governing Body (via the College Principal) if circumstances demand immediate attention.

Investigation

On becoming aware of a breach, or suspected breach, the DPO will establish the facts surrounding the incident, what data was involved, the potential impact on individuals or the College and what immediate action may be needed. In the event that the DPO is unavailable, or not contactable, the IT Director shall perform the initial fact finding and assessment.

The investigation will consider the following:

• Has the breach been contained / stopped?
• Is there a continuing risk to data or individuals?
• Do we need to inform anyone?
• Who needs to manage the incident?
• What records need to be kept and where?
• Do we need to notify the Information Commissioner’s Office?
• Do we need to notify data subjects?
• What remedy is required going forward?

Most breaches will require reporting to the ICO within 72 hours of becoming aware of the breach. To assist with categorisation of the breach and to determine whether it needs reporting and what notification processes should be enacted the DPO will use the ICO self-assessment tool: https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach-assessment/

If the breach is deemed to require reporting to the ICO, the DPO will submit a report to the ICO within 72 hours. If the breach is deemed to likely result in a high risk to the rights and freedoms of individuals, the DPO will also without undue delay notify the affected data subjects. Where possible, the DPO will liaise with the data subject(s) about the most appropriate method of notification.

Review and Evaluation

Once the immediate actions have been taken and the incident is closed, the DPO will review the incident with the relevant staff and consider what preventative measures should be put in place to reduce the risk of a recurrence.

Implementation

This policy shall be reviewed at each Data Protection Steering Group meeting and updated as required.

Useful Contacts

• Data Protection Officer: data.protection@bnc.ox.ac.uk
• IT Director: it.director@bnc.ox.ac.uk
• Information Commissioner’s Office: https://ico.org.uk/

Cloud / Third Party Services – Code of Practice

Purpose

This code of practice gives guidance to all those who process College data and information on choosing and using cloud or third-party services.

This policy applies to all College users who want to use or recommend a cloud or third-party service that will process College data.

Scope

This document covers cloud and third-party service providers who process, access or store College data. This includes but is not limited to SaaS (software as a service), PaaS (platform as a service), and IaaS (infrastructure as a service) offerings.

Responsibilities

It is the responsibility of all members of staff to ensure that before selecting and using a cloud or third-party service, they have satisfied themselves that the service meets the College’s requirements. The College’s ICT team is available to help assess services.

Policy:

Cloud computing and web-based applications are increasingly used in modern businesses. Such services must be properly assessed before use to ensure they meet the College’s legal, information security, and data protection requirements.

Before selecting a cloud or third-party service, staff should consider:

1. What data will be processed by the service?
2. Where will the data be stored, processed and backed up?
3. How secure is the service?
4. What happens if the service provider goes out of business?
5. What rights do we have to our data?
6. Is there a contract in place and does it adequately protect the College’s interests?

Staff must not use unapproved cloud or third-party services to process College data. The College maintains a list of approved cloud and third-party services which have been assessed by the ICT team and DPO. This list is available from the ICT team.

If staff wish to use a service that is not on the approved list, they must contact the ICT team who will assess the service and, if appropriate, add it to the approved list.

Legislation and Data

The UK Data Protection Act 2018 applies to personal data processed by the College, regardless of where that processing takes place. The College must therefore ensure that any third-party service provider processing personal data on behalf of the College does so in accordance with the Act.

In particular:

• Data must be processed in accordance with the College’s instructions
• Appropriate technical and organisational security measures must be in place
• Data must not be transferred outside the UK/EEA without appropriate safeguards
• There must be a written contract in place

Compliance

Failure to comply with this code of practice may result in disciplinary action. In serious cases, this could include dismissal.

The ICT team maintains a register of all approved cloud and third-party services. This register is reviewed regularly to ensure that services continue to meet the College’s requirements.

Brasenose College Supplier Information Security Policy

Introduction

Brasenose College is committed to ensuring that all third-party suppliers who have access to, or process, College information maintain appropriate information security standards.

Purpose

This policy sets out the minimum information security requirements that must be met by all third-party suppliers who have access to College information or systems.

The policy aims to:

• Protect the confidentiality, integrity and availability of College information
• Ensure compliance with legal and regulatory requirements
• Manage information security risks associated with third-party access
• Provide a framework for managing third-party information security

Scope

This policy applies to all third-party suppliers, contractors, consultants and service providers who:

• Have access to College information or systems
• Process College information on behalf of the College
• Provide services that involve handling College information

Policy Statement

All third-party suppliers must demonstrate that they have appropriate information security measures in place before being granted access to College information or systems.

Third Parties – Data Protection and Information Security Obligations

All suppliers or contractors that access or process Brasenose College information must either demonstrate suitable information security standards (as defined in points 1, 2, 3 below) or agree by contract to process information in accordance with this policy and other relevant policies.

1. Active certification to information security standard IS027001.
2. If a Cloud service provider, additionally certified to cloud information security standard ISO27017.
3. Data is processed, accessed, and backed up solely inside the UK or within the European Economic Area (EEA).

Minimum Requirements

At a minimum, all third-party suppliers must:

• Have appropriate technical and organisational security measures in place
• Comply with all relevant data protection legislation
• Have appropriate business continuity and disaster recovery arrangements
• Have appropriate incident management procedures
• Provide evidence of compliance with information security standards

Contracts

All contracts with third-party suppliers must include appropriate information security clauses covering:

• Confidentiality obligations
• Data protection requirements
• Security standards to be maintained
• Incident reporting requirements
• Audit rights
• Termination arrangements including data return/deletion

Management of Supplier Relationships

The College will regularly review supplier relationships to ensure continued compliance with information security requirements.

Sub-Contracting

Third-party suppliers must not sub-contract any processing of College information without prior written consent from the College.

Supplier Access to College Information

Access to College information by third-party suppliers must be:

• Authorised by the appropriate College authority
• Limited to the minimum necessary
• Subject to appropriate access controls
• Monitored and logged where appropriate
• Reviewed regularly
• Revoked when no longer required

Monitoring Supplier Access to the College’s Network

Where third-party suppliers require access to the College’s network, such access must be:

• Approved by the IT Director
• Subject to appropriate security controls
• Monitored and logged
• Reviewed regularly

Sale of College Data by Suppliers

Third-party suppliers must not sell, share or otherwise disclose College information to any other party without prior written consent from the College.

Security Incident Management

All third-party suppliers must have appropriate security incident management procedures in place and must notify the College immediately of any security incidents affecting College information.

Notification of a personal data breach to the Commissioner

Where a third-party supplier experiences a personal data breach affecting College information, they must notify the College immediately and in any event within 24 hours of becoming aware of the breach.

Breaches of Policy

Breaches of this policy by third-party suppliers may result in:

• Immediate suspension or termination of access to College systems
• Termination of contract
• Legal action where appropriate

Minimum Controls

The following table sets out the minimum information security controls that must be in place:

University Baseline Security Controls

These are the core technical controls that must be applied throughout the entire IT estate where it is technically possible to do so. Where it is not possible to apply a specific control, appropriate mitigations should be in place.

As of 2023 (v4) there are 109 technical controls in the areas of:

• Access Controls: Accounts & Privileges
• Access Controls: Authentication
• Access Controls: Network
• Incident Management
• Monitoring & Logging
• Network Management
• Operations
• System Acquisition & Maintenance
• Vulnerability Management

A detailed list of each control can be found at: https://www.infosec.ox.ac.uk/baseline-security-controls