Keeping our information safe: updated University Information Security Policy
All those with access to University Information Systems, including staff, students, visitors and contractors are responsible for making sure University information is kept securely and used appropriately.
The University's Information Security policy and its supporting policies provide a framework to help make sure that the data held and processed by the University is managed with the appropriate standards to keep it safe. We are pleased to announce the publication of our updated Information Security Policy, a crucial step in our ongoing commitment to safeguarding the University’s digital assets and sensitive information.
Why the update?
In today’s rapidly evolving digital landscape, the threats to information security are more sophisticated than ever. Our updated policy reflects the best practices and regulatory requirements, ensuring that we remain at the forefront of information security.
Summary of key changes/additions
Responsibilities
Know what your responsibilities are. We all have a responsibility whatever your role.
All members of staff are required to complete the essential training provided by the University, this includes mandatory training, including an annual booster on information security.
Use of third party Cloud Services
Cloud-based file hosting services are third parties and therefore the user has no direct control over the management and security of data that is entrusted to them. Consider the risks involved, ensure the cloud service is secure, the compliance with relevant legislations and whether the risks of using the service are acceptable.
Purchase of information systems and software
All IT and information-related software, systems and hardware must be purchased in line with procurement legislation.
Protection of restricted information
The policy does not undermine the University’s fulfilment of its duties as a higher education institution under the Higher Education (Freedom of Speech) Act 2023.
Access control
Responsibilities of updating permissions and access to University systems and files should be reviewed annually and always when an individual changes roles.
The supporting policies comply with legal requirements including the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR).
Responsibilities
The University is committed to protecting the security of its information and information systems in order to ensure that:
a) the integrity of information is maintained, so that it is accurate, up to date and fit for purpose
b) information is available to those who need it, when they need it
c) confidentiality is not breached, so that information is accessed only by those authorised to do so
d) the University meets all its legal and statutory requirements, and
e) the reputation of the University is safeguarded
We all have a requirement to work within the guidelines of the Information Security Policy and its supporting policies.
The Information Security Policy sets out the responsibilities we all have.
Required reading
All University members should be familiar with the University's Information Security policy and the key principles of the Information Security policies.
We should all:
- Make sure that only those who need access to data have that access
- Avoid storing information where it can be accidentally exposed or lost, for example on unencrypted storage devices or on a desk in an office (even if the office is locked)
- Make sure that if data must be sent, shared or transported, we send it securely using encrypted devices or channels, for example Box or Zendo.
List of policies
- IT Acceptable Use Policy (Essex users only)
- IT Acceptable Use Policy Guidance (Essex users only)
- Data Protection Policy (.pdf)
- University Third Party Contact Policy: sharing registered students’ information (.docx)
- Guidelines for Using Your Personal Device for Work or Study
- Data Breach Response Policy (Essex users only) (.pdf)
- Data Protection Impact Assessment Policy (.pdf)