1 and it’s one of its most

 

 

1          
Introduction

UML Limited recognises that Information is fundamental to its
effective operation and it’s one of its most important business asset. The
purpose of this Information Security Policy is to ensure that the information
managed by the UML is appropriately secured in order to protect against the
possible consequences of breaches of confidentiality, failures of integrity or
interruptions to the availability of that information.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

This policy will address the following issues;

i.                    
Confidentiality: Data access is
confined to those with specified authority to view the data;

ii.                  
Integrity: All system assets
are operating correctly according to specification and in the way the current
user believes them to be operating; and

iii.                 
Availability: Information is
delivered to the right person when it is needed.

 

Policy objectives

The objectives of this policy
are to:

1.      
Protect UML from liability
or damage through
the misuse of its Information
technology facilities.

2.      
Provide a secured and safe information systems
working environment for staff and any other authorised users.

 

3.      
Provide a framework for establishing suitable levels of information security
for all UML information systems (including but not limited to all computers, mobile
devices, networking equipment, software and data) and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.

 

4.      
Make certain that users are aware of and comply with
all current and relevant
UK and EU legislation.

 

 

5.      
Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle, including satisfying the information security requirements of third party data providers.

 

6.      
Maintain research data and other confidential information provided
by suppliers at a level of security commensurate with its classification, including upholding
any legal and contractual requirements around information security.

 

7.      
Respond to feedback
and update as appropriate, initiating a cycle of continuous improvement.

 

 

Scope

This policy
is applicable to, and will be communicated to, all staff and other members of the
UML IT department and third parties who interact with information held by the UML and the information systems used to store and process it.

This includes, but is not limited to, any systems or data attached to the UML data or telephone networks, systems
managed by UML, mobile
devices used to connect to UML networks or hold UML

data, data over which UML holds the intellectual property
rights, data over which UML is the data controller or data processor, communications sent to or from the UML.

 

 

 

2          
The Policy

 

2.1        
Security principles

The following
information security principles provide overarching governance for the security and management of information at UML.

 

1.       Information should be classified according to an appropriate level of confidentiality, integrity
and availability (see Section 2.3. Information Classification) and in accordance with relevant legislative, regulatory and contractual requirements and UML policy (see Section 2.2. Legal and Regulatory Obligations).

 

2.      
Staff with particular responsibilities for information (see Section 3. Responsibilities) must ensure the classification of that information; must handle that information in accordance with its classification level; and must abide by any contractual requirements, policies,
procedures or systems for meeting
those responsibilities.

 

3.      
All users covered by the scope of this policy (see Section 1.2. Scope) must handle information appropriately and in accordance with its classification level.

 

4.      
Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.

a.       On this basis, access
to information will be on the basis of least privilege and need to know.

 

5.      
Information will be protected
against unauthorized access
and processing in accordance with its classification level.

 

6.       Breaches of this policy must be reported (see Sections
2.4. Compliance and
2.5. Incident Handling).

 

7.      
Information security provision and the policies
that guide it will be regularly reviewed, including through
the use of annual internal audits and penetration testing.

 

8.      
Any explicit Information Security
Management Systems
(ISMSs) run within UML will be appraised and adjusted through the principles of continuous improvement, as laid out in ISO27001 clause 10.

 

 

2.2        
Legal
& Regulatory Obligations

UML limited has a responsibility to abide by and adhere
to all current UK and EU legislation as well as a variety
of regulatory and contractual requirements.

 

2.3        
Information
Classification

The following table
provides a summary
of the information classification levels that have been adopted by UML limited.

 

 

 

 

 

 

 

 

 

 

Security Level

Definition

Examples

1. Confidential

Normally accessible only to specified members of UML staff. Should be held in an encrypted state
outside UML systems; may have encryption at rest requirements from providers.

– Sensitive patients’ data such as racial/ethnic origin,
political opinion, religious beliefs, physical/mental health
condition, sexual life, criminal record.
– Passwords

Patients medical history
 

2. Restricted

Normally accessible only to specified members of UML staff

-Reports
– Meeting papers and minutes

Database access

3. Internal Use

Normally accessible only to members of UML staff.

Policy
documents

4. Public

Accessible to all members of the public

Information available on the UML
website

 

 

 

 

 

 

 

2.4        
Suppliers

All UML contractors will abide by UML’s Information Security Policy.
When accessing or processing UML assets, whether on site or remotely and when subcontracting to another suppliers.

 

 

2.5        
Compliance, Policy Awareness and Disciplinary Procedures

Any security breach of UML’s
information systems
could lead to the possible
loss of confidentiality, integrity and availability of personal or other confidential data stored on these
information systems. The loss or breach of confidentiality of personal data is an infringement of the Data Protection Act (1998)
and the EU General
Data Protection Regulation, contravenes UML’s Data Protection Policy, and may result in criminal or civil action
against the organisation.

 

The loss or breach of confidentiality of contractually assured information may result
in the loss of business, financial penalties
or criminal or civil
action against UML. Therefore it is crucial that all users of the UML information systems
adhere to the Information Security
Policy and its supporting policies as well as the
Information Classification Standards.

All current staff and other authorised
users will be informed of the existence of this policy and the availability of supporting policies, codes of practice and guidelines.

Any security breach will be handled
in accordance with all relevant organisation policies.

 

 

2.6        
Incident Handling

If a member of staff
is aware of an information security
incident, they must report it to the Information Management Service Desk by email.

 

 

2.7        
Supporting
Policies, Codes of Practice, Procedures
and Guidelines

Supporting policies have been developed to strengthen and reinforce this policy
statement. These, along with associated codes of practice,
procedures and guidelines are published together and are available for viewing on the
organisation website.

 

All staff and
any third parties authorised to access
UML’s network its facilities are required
to familiarise themselves with these supporting documents and to adhere to them in the working environment.

 

 

 

2.8        
Review and Development

 

This policy, and its subsidiaries, shall be reviewed by the Information Security
Advisory Board (ISAB) and updated
regularly to ensure that they remain appropriate in the light of any relevant
changes to the law, organisational policies or contractual obligations.

Additional regulations may be created to cover specific areas.

ISAB comprises representatives from all relevant parts of the organisation. It shall
oversee the creation of information security and subsidiary policies.

The Information Security
Manager will determine
the appropriate levels of security measures
applied to all new information systems.

 

3          
Responsibilities

 

Responsibility for the production,
maintenance and communication of this top-level policy document and all
sub-policy documents lies with UML’s IT Security Manager.

 This
top-level policy document has been approved by the Information Technology
Governance Group (ITGG). Substantive changes may only be made with the further
approval of this group. Responsibilities for the approval of all sub-policy
documents is delegated to the Information Security Group (ISG). Before approving
any sub-policy the ISG will consult with the ITGG, where necessary. 

Each of the documents constituting the
Information Security Policy will be reviewed annually. It is the responsibility
of the IT Security Manager to ensure that these reviews take
place. It is also the responsibility of the IT Security Manager to ensure that
the policy set is and remains internally consistent. 

Changes or additions to the Information
Security Policy may be proposed by any member of the department to the IT Security
Manager. 

Any substantive
changes made to any of the documents in the set will be communicated to all
relevant personnel.

Members of UML:

All members
of UML, UML associates, agency
staff working for UML, third parties and collaborators on UML projects will be users of UML information. This carries with it the responsibility to abide by this policy and its principles and relevant
legislation, supporting policies,
procedures and guidance.
No individual should
be able to access
information to which they do not have a legitimate access right.

Notwithstanding systems in place to prevent
this, no individual should knowingly contravene this policy,
nor allow others
to do so. To report policy contraventions, please see Section 2.5: Incident Handling

 

Heads of Departments, Divisions, Centres:

Responsible for the information systems
(e.g. HR/ Registry/
Finance) both manual and electronic that support UML’s work. Responsibilities as above (for Principal
Investigators / Project administrators).

Responsible for specific
area of UML work, including all the supporting information and documentation that may include
working documents/ contracts/ staff information.

 

 

Information Security Advisory Board

Responsible for the advising
on and recommending information security policies
to the Information Technology Committee, assessing information security risks, identifying and implementing controls to risks.

 

Information Technology Committee

Responsible for approving information security
policies.

x

Hi!
I'm Dana!

Would you like to get a custom essay? How about receiving a customized one?

Check it out