We recognise the importance of information as a corporate asset. Our Information Security policy:
- ensures all data in the University is handled and stored with an appropriate level of security
- outlines the monitoring measures the University takes to ensure the security of data and IT services
- outlines user policies which must be adhered to including:
- acceptable use
- physical security
- personal devices
- outlines management policies for business/system/service owners
Some of the core policies of our Information Security Policy are to:
- support the University and IT strategic vision
- follow and develop the Scottish Government’s Public Sector Action Plan on Cyber Resilience
- make students, staff and third parties at the University aware of their responsibility to data
- maintain the integrity (accuracy and security) of information we hold
- comply with all legal and contractual obligations we have to data
Our Information Security policy is an overarching policy. We have summarised the contents of the policy here. You can download the Information Security Policy and other related policies below.
Summary of Information Security Policy
General
You should use our computing facilities in a way which is:
- ethical
- legal
- appropriate to the University's aims
- not detrimental to others
You are responsible for ensuring the security of University devices and University data which you have access to.
You must adhere to standards of acceptable use for use of University devices and services.
Information security
Information security is the responsibility of every member of staff, students, and third parties.
All information and data held by the University must be accurate and stored with an appropriate level of security.
Data handling
Data must be categorised, processed, and stored according to the following registers:
| Category | Data | Examples |
|---|---|---|
| High | Any data that is high confidential. This could be time sensitive data that will later become public (such as research of financial plans). This category includes special categories of personal data, as described by GDPR. |
|
| Medium | Any data for the internal running of the University, which is not classed as high. This category includes personal data as described by GDPR. |
|
| Low |
Any data publicly available. Any data not classified as high or medium. |
|
Monitoring
The University will monitor the use of University devices and services to comply with legal, regulatory and operational requirements.
The University will ensure the integrity and confidentiality of this information.
All monitoring activities will be appropriately authorised and documented.
User policies
All students, staff, and third parties must comply with guidelines on:
- acceptable use in accessing University devices and services
- acceptable personal use of University devices
- physical security of IT equipment
- personal device use for University purposes
Find out more about University Cyber Security standards.