Information Security Policy for staff

See our full Information Security Policy

See the Information Security Policy Legal Framework

We recognise the importance of information as a corporate asset.
Our Information Security policy:

  • Ensures all data in the University is handled and stored with an appropriate level of security
  • Outlines the monitoring measures the University takes to ensure the security of data and IT services
  • Outlines user policies which must be adhered to including:
    • Acceptable use
    • Physical security
    • Personal devices
  • Outlines management policies for business/system/service owners

Some of the core policies of our Information Security Policy are:

  • To support the University and IT strategic vision
  • To follow and develop the Scottish Government’s Public Sector Action Plan on Cyber Resilience
  • To make students, staff and third parties at the University aware of their responsibility to data
  • To maintain the integrity (accuracy and security) of information we hold
  • To comply with all legal and contractual obligations we have to data

Our Information Security policy is an overarching policy. We have summarised the contents of the policy here. You can download the Information Security Policy and other related policies below.

Summary of Information Security policy

General

  • You should use our computing facilities in a way which is:
    • ethical
    • legal
    • appropriate to the University's aims
    • not detrimental to others
  • You are responsible for ensuring the security of University devices and University data which you have access to
  • You must adhere to standards of acceptable use for use of University devices and services

Information security

  • Information security is the responsibility of every member of staff, students, and third parties
  • All information and data held by the University must be accurate and stored with an appropriate level of security

Data Handling

Data must be categorised, processed, and stored according to the following registers:

a chart showing the three levels of data classifications: high,medium and low risk data.

a grid showing the classifications of data

 

Monitoring

  • The University will monitor the use of University devices and services to comply with legal, regulatory and operational requirements
  • The University will ensure the integrity and confidentiality of this information
  • All monitoring activities will be appropriately authorised and documented.

User policies

All students, staff, and third parties must comply with guidelines on:

  • Acceptable use in accessing University devices and services
  • Acceptable personal use of University devices
  • Physical security of IT equipment
  • Personal device use for University purposes

More information on University Cyber Security standards can be found on our Cyber Security Pages

Training

All staff and students should complete cyber security awareness training available from Myplace.