Within the University Group, the expectation placed upon technology is high - with the need for it to perform effectively, across multiple geographical locations, whilst remaining safe and secure for the business and students alike. This is where information security plays a pivotal role, as we provide the assurance to the business, our partners and students that secure processes, procedures and associated activities are both in place, and remain fit-for-purpose and use.
The specialism of information security continues to evolve, and with our fast-paced business activities and opportunity-driven environments, comes the need for a high level of agility and responsiveness.
To further support this drive towards a more secure environment and to demonstrate our commitment to cyber and information security, the University is also certified for Information Security ISO 27001 Standard, Cyber Essentials and Cyber Essentials Plus.
The following information provides an overview of the information security initiatives and processes that the University group has in place and to inform potential business partners, students and staff of their responsibilities towards information security.
Information Security glossary
During your time with the University group, you are likely to come across terms relating to information security. Here are a few helpful definitions and concepts:
- Information security: often shortened to InfoSec, this is a combination of processes, behaviours and organisational culture all centred around keeping information secure. The aim of information security is to uphold the confidentially, integrity and availability (CIA) of data – a concept known as the CIA triad.
- Confidentiality: ensuring that data and information is not made available or disclosed to unauthorised individuals.
- Integrity: ensuring the accuracy of data and information and making sure it can’t be tampered with.
- Availability: ensuring that data and information is accessible and usable upon demand by someone that is authorised.
Ensuring CIA of information is more than just IT and computers; it is also about people, their knowledge, beliefs, perceptions, attitudes, assumptions, and values around Information Security.
- Data and Information are used interchangeably to mean information captured, processed or stored by the University or its Subsidiaries.
- Security Incident - as one or more unwanted or unexpected information security events that have or may have compromised (or have a significant probability of compromising) University operations and/or threatened information security.
- Event - an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards.
- Policy - owned at Executive level, it is a formal management statement of intent to reduce risk. It will identify significant risks and effects and state the controls and mitigations in place.
- Standard - defining what is required to support all or part of the overarching policy, more specifically in relation to areas of risks and their mitigations.
- Procedures - the mandatory operational instructions and processes required to carry out the controls to enforce the policy.
- Guidance - non-mandatory recommendations to help achieve the policy’s objectives.
Why is Information Security important?
- To protect the reputation and standing of the University.
- To protect the right to privacy of individuals, including their legal rights as data subjects. Find more information on these rights and data protection related information.
- To protect the intellectual property rights of the University.
- To ensure that the Legal obligations placed upon the University are met.
- To aid the continuity of University business.
The University Group ensures this by:
- Following recognised information security best practices.
- Applying appropriate information security measures.
- Providing the necessary information and training so that all staff and IT users accessing and using University systems comply with relevant policies, laws and regulations, including the Data Protection Act 2018 and Computer Misuse Act 1990.
Information Security responsibilities
Information security is everyone’s responsibility, and by adhering to policies and following good information security practices, we can all contribute to protecting the University Group’s data, assets and reputation.
The Vice-Chancellor has overall executive responsibility for the security of the University's information. Specific information security tasks are delegated to certain staff responsible for drawing up University wide policies, standards and procedures.
Depending on your role, you may also have additional responsibilities to ensure that security of information is upheld.
To further support the Group’s security initiatives, the University has a dedicated Information Security and Digital Compliance team, a Cyber Security team responsible for monitoring the security of the Group’s infrastructure, an Information Governance Unit and Data Protection Officer (DPO) in place that deal with matters relating to data protection and privacy rights for individuals.
Individual staff members (including temporary staff, contractors, and agents) are responsible for:
- ensuring they understand and follow established working practices
- ensuring that they comply with security policy and associated standards
- ensuring they comply with the relevant laws and regulations
- reporting any breaches in security policy or law to the University
- reporting any identified threats or vulnerabilities immediately
- undertaking periodic information security staff awareness and training
Managers within the University and its subsidiaries are likely to be custodians of various University information assets on either a permanent or temporary basis. As such, they are responsible for ensuring that their teams and line reports follow established working practices and adhere to relevant policies and standards.
Security policies and standards
The University continues to maintain and develop a comprehensive information security and management policy framework. It has several policies with supporting standards in place to uphold information management, security and governance. All policies and standards are issued under the authority of the Vice-Chancellor who is also accountable for their interpretation and enforcement.
All staff, contractors, and students are expected to follow the policies and standards in place. Regular training and awareness for staff takes place to ensure they properly understand their responsibilities towards information security. Some of the policies and standards included in our framework cover:
- Clear desk and workspace – to establish the minimum standards for maintaining a secure desk or physical workspace.
- Incident Management – determines the requirement for reporting information security related incidents and ensuring a consistent and effective approach to the management of Information Security Incidents.
- IT Acceptable Use – provides a framework for the acceptable use of Coventry University Group’s Information Technology (IT) to ensure that it can be used safely, lawfully and equitably.
- Removable media and bring your own devices – defines the minimum conditions for using privately owned IT equipment for the purpose of carrying out Group work.
- Mobile devices – outlines the requirement with regards to using mobile devices to undertake any Group business.
- Passwords – sets out the requirements for effective password use for anyone with access to and using Group IT systems.
- Emails – describes the requirement with regards to the use of the email system for Group business processes.
Information Security incidents
The Group encourages all members of the University to assist in the improvement of information security by reporting to the Digital Service Centre, any incidents adversely affecting security. Effective information security incident management is required to protect the confidentiality, integrity, and availability of University information assets, products, systems, and services.
What constitutes an Information Security incident?
A security incident is defined as an unwanted or unexpected information security event that has or may have compromised (or have a significant probability of compromising) University operations and/or threatened information security.
Common examples of information security incidents include:
- Clicking on a suspicious link or opening a suspicious email attachment.
- Sending a sensitive email to the wrong recipient.
- Loss or theft of a device containing University Group or personal data.
- Loss or theft of ID/access card.
- Accidental downloads of potentially malicious software or noticing suspicious files on a device.
- Unusual activity, for example, slow running devices.
- Unusual behaviour from personnel or visitors.
Once details of a security incident or breach have been reported, confirmed and logged, the Digital Service Centre will employ the following response process:
- Initial Diagnosis
- Incident Escalation
- Investigation and Diagnosis
- Resolution and Recovery
- Incident/Event Closure
Reporting a security incident
It is everyone’s responsibility within the University to report a security incident if they see it, even if it is an unconfirmed suspicion.
To report a security incident, contact the Digital Service Centre on +44 (0)2477 657 777.