Cyber and Information Security Policy

The objective of cyber and information security is to achieve and maintain a condition where all information and data (physical and digital) are always available to all those who need and are authorised to access it, where it cannot be corrupted or disclosed to unauthorised persons and its origin is authenticated. This involves the preservation of:  

Confidentiality 
Ensuring that information is only accessible to authorised persons throughout its entire lifecycle; 

Integrity 
Safeguarding the accuracy and completeness of information and processing methods, and ensuring modification by authorised persons only;

Availability 
Ensuring that authorised users have access to information and associated assets when required;  

Non-repudiation 
The assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information. Additionally, being able to evidence that an individual has accessed information and whether or not they altered it, ensuring that actions cannot be denied.

It is the policy of the University to ensure that information assets are appropriately protected from all threats, whether internal or external, deliberate or accidental. The policy therefore requires that measures are implemented to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems, disasters and unauthorised access.

This is achieved through implementation of a combination of organisational and technical controls which are supported by guidelines and processes that are designed to detect, deter and delay security attacks and facilitate investigation. 

Scope

This policy applies to all staff, students and any third parties who access and/or use the University’s digital and information technology resources.

This policy applies to:
• All University data and information (physical and digital), information services, information systems, information technology, networks and applications regardless of the device that they are accessed on or the location that they are accessed from;
• All University Digital Services ued devices regardless of what they are used for;
• Personal devices used to access University data and information (physical and digital), information services, information systems, information technology, networks and applications regardless of location, whether on or off campus;

all the above are referred to as “Information Systems” in the policy statements.

Roles, Responsibilities and Compliance

The CISO (Chief Information Security Officer) is responsible for the creation and on-going development of cyber and information strategy, and associated policies, so that the University complies with relevant legislation including:

• Data Protection Act (2018) 
• General Data Protection Regulation (EU and UK variants)
• Computer Misuse Act (1990) 
• Copyright, Designs and Patents Act (1988) 
• Counter-Terrorism and Security Act (2015), in particular The Prevent Duty
• Equality Act (2010)
• Freedom of Information Act (2000)
• Regulation of Investigatory Powers Act (2000)
• Export Control Act (2002)
• Communications Act (2003) - S127 Malicious Communications
• Security of Network and Information Systems Regulations (2018)

Additionally, the CISO is responsible for the day-to-day operation of the Cyber Security function at the University.

The Chief Digital and Information Officer has overall executive responsibility for digital and information services at the University, including cyber and information security.

The Chief Operating Officer and Registrar is the Senior Information Risk Owner (SIRO). The SIRO is accountable for information risk on the Senior Leadership Team (SLT) and in internal discussions, ensuring that identified information security threats are followed up and incidents managed.

The Digital Committee sign off cyber and information related strategies and policies.

The Senior Leadership Team (SLT) ratify cyber and information related strategies and policies.

Members of the University Cyber Security Team lead communications, advise on training and compliance, and necessary actions to ensure secure use of the University’s information and technology. Further, they share best practice and information on relevant practices, cyber security certification and compliance, and are responsible for advising on the compliance with these policies and associated processes.     

The staff terms and conditions of employment (https://staff.swansea.ac.uk/human-resources/policies-and-procedures/#employment-and-contractual-arrangements=is-expanded) state that employees must follow the University’s regulations which includes this policy set. 

Line Managers provide specific guidance on compliance to any member of staff whose duties require it, supported by the Digital Services Cyber Security Team where required. This support can be requested by opening a Service Desk ticket.

The Student Regulations state that students must follow University regulations which includes this policy set (https://myuni.swansea.ac.uk/academic-life/academic-regulations/).  

All third party users who are given access to University information technology must agree to abide by the University’s Cyber and Information Security Policies.

It is incumbent on all staff, students and third parties to understand and adhere to the policies, guidelines and processes that are published relating to Cyber and Information Security.

This policy is available electronically on the Intranet site. Updates will be published in the same location. 

Breach of Policy

All suspected breaches of this policy will be investigated by the CISO, or a nominated individual, and appropriate actions taken, including reporting the findings to the appropriate management and with potential referral to formal investigation in line with the University’s Conduct Ordinance. A summary of all investigations will be reported to the University’s Senior Leadership Team (SLT) and Audit Assurance and Risk Committee (AARC), without identification of individuals.

Failure of a user to comply with any part of the Cyber and Information Security Policy may lead to the relevant disciplinary processes being invoked and relevant actions may be taken. Where illegal activity is suspected the relevant law enforcement agency will be informed.

Policy Review

The Cyber and Information Security Policy will be reviewed at least annually and in the event of legislative, organisational or threat landscape changes. Where appropriate, policies will be updated identifying additional steps that are required to improve the security of resources, systems and services. Revisions to the Cyber and Information Security Policy Set will be approved by SLT.

Cyber and Information Risk Appetite Statement

The University will not accept any avoidable risks which could compromise the security of its data and information (digital and physical). Compromises include a loss of confidentiality, integrity, or availability of information as well as the loss of Information Services resulting from either malicious or accidental activity.

Consequently, the University has a low level (as defined by the University’s risk management framework) appetite for exposure to cyber and information security risk, due to the scale and sensitivity of information that it creates, handles and shares. As such, all parts of the University must take measures to protect our data and information from cyber and information security incidents.

Cyber and information security needs to be embedded into all University activities by all staff, students and third parties. Therefore, it is the responsibility of all staff, students and third parties to ensure that the appropriate cyber and information security controls, relating to people, processes and technology, are in place and operating effectively at all times.

Cyber and Information Security Policy Exemptions

The inability to comply with Cyber and Information Security policies and processes will occur from time to time for a variety of reasons. In this instance an exemption from the policy will be required.

The Cyber and Information Security Exemption Process should be invoked when an exemption is required. See section 9 of this policy for more details.

The policies and processes ensure that an appropriate level of risk is maintained by the University and any exemption to these must therefore be fully assessed to ensure that the altered risk levels are understood and approved.

Policy Statements

8.1 Cyber and Information Security Management

8.1.1. The Cyber and Information Security Policy supports the University and Digital strategic visions by defining the high-level approach taken to reducing associated risks to its security, reputation, finances and operations.

8.1.2. The information managed by the University shall be appropriately secured to protect confidentiality, integrity and availability.

8.1.3. Proportionate security measures shall be put in place to protect Information Systems from cyber and information associated risks. The University will protect the security of its information assets in order to:

• Maintain the integrity and quality of information so that it is accurate, up to date and fit for purpose.
• Make information available to those who need it and ensure there is no disruption to University business.
• Ensure that confidentiality is not breached so that information is accessed only by those authorised to do so.
• Provide assurance of non-repudiation.

8.1.4. The University will develop and communicate Cyber and Information Security Policies, guidelines and processes that all staff, students and third parties are required to comply with thereby ensuring it meets its legal and regulatory compliance requirements.

8.1.5. The University is fully committed to fulfilling its Prevent Duties.

8.1.6. The University acknowledges that every member of staff, student and third party has a responsibility in relation to Cyber and Information Security. The University has committed to a programme of awareness, training and education in order to address this obligation.

8.1.7. Security controls will be documented and communicated to all relevant stakeholders.

8.2 Cyber and Information Security Risk Management

8.2.1. The University shall take appropriate steps to identify, assess, and manage security risks to the University Information Systems and any other technologies that make up the University’s Digital estate.

8.2.2. An organisational approach shall be taken to Cyber and Information Security Risk Management, with Cyber and Information Security Risks managed as part of Swansea University’s Risk Management Framework to ensure that risks are managed in accordance with the University’s defined risk appetite.

8.3 Cyber and Information Asset Management

8.3.1. The University’s information, hardware and software assets shall be recorded in accurate and up to date asset registers, including details of business owners.

8.3.2. Asset information records shall be sufficient to enable risk-based decision making, reduce risk of compromise by weakness in hardware and software, protect assets against loss, meet compliance requirements, and inform contracts.

8.3.3. The University will ensure that the asset registers are regularly checked for discrepancies, protected to ensure their accuracy and are reviewed.

8.4 Cyber and Information Access Management

8.4.1. Access to University Information Systems is controlled, managed, and monitored through policies, guidelines and processes.

8.4.2. Unique user account credentials are used to control staff, student and third party access to University Information Systems and locations as needed for their functional role and tasks.

8.4.3. All accounts must be protected using dual factor, wherever possible. Where passwords are used, they must be complex and difficult to guess in accordance with latest NCSC advice.

8.4.4. Administrative and/or Privileged user accounts shall be used only when needed for administrative or elevated activities and not for day-to-day work tasks, regularly reviewed and removed when no longer required. Access privileges for all user accounts shall be granted in line with and by applying the principle of least privilege.

8.4.5. The University shall utilise an Identity and Access Management system for controlling user accounts throughout their lifecycle. The system will ensure that unique account credentials are created, updated and removed in a timely manner to control access to Information Systems and locations necessary for the role’s function.

8.4.6. The University will ensure that appropriate Identification, Authorisation, Accounting and Auditing measures are in place for all Information Systems. An appropriate level of logging, monitoring and retention shall be implemented.

8.5 Cyber and Information Business Resilience

8.5.1. The University shall take appropriate steps to ensure Information and Cyber Security is embedded within the organisation’s business continuity management systems and is an intrinsic part of business continuity planning.

8.5.2. The University shall ensure that well defined Cyber Incident Management processes are in place, documented and regularly tested.

8.5.3. The University is committed to identifying and resolving Cyber and Information Security incidents quickly, effectively and in line with compliance requirements:

a. The University will identify, respond to, and recover from Cyber and Information Security incidents to minimise the business impact and reduce the risk of similar incidents occurring.
b. The University will conform to statutory and contractual requirements in relation to reporting.
c. The Cyber Incident Response Team shall be responsible for managing Information and Cyber Security incidents.
d. A review shall take place after each such incident to identify the root cause, highlight improvements and any lessons learned that can be applied to improve the process.

8.5.4. The University will complete a programme of risk assessment and mitigation that will ensure detailed disaster recovery plans are documented for each business-critical digital service, to enable that service to be restored within the agreed timescale in the event of a major failure.

8.5.5. The University will develop, document and test a set of plans to enable business services to continue to be delivered to an agreed level, in the event of a disaster or emergency affecting Information Systems. These plans will be made available to relevant stakeholders.

8.5.6. Cyber and Information Business Continuity and Disaster Recovery Plans will be developed as part of the University Business Continuity Plans. Cyber and Information Plans will be regularly tested and reviewed, to ensure the plans are effective and fit for purpose.

8.6 Device and Service Management

8.6.1. The University is committed to ensuring fixed and portable digital devices used to access the University information systems are managed securely and protected from cyber risk throughout their lifecycle.

8.6.2. University owned fixed and portable end-user computing devices shall be centrally managed and securely configured in line with accepted good-practice standards.

8.6.3. The University is committed to ensuring fixed and portable storage media devices are appropriately secured and managed so that information and systems are protected whilst data is in-transit and at-rest.

8.6.4. The University supports ‘bring your own device’ (BYOD) providing it meets the minimum security standards which will be enforced by conditional access controls.

8.7 Cyber and Information Physical Security

8.7.1. The University will restrict physical access to its facilities, such as data centres and network equipment rooms, to authorised personnel and managed in accordance with documented access control processes.

8.7.2. The University shall ensure that appropriate processes are in place to reduce the physical risks to its information, systems and services from internal and external environmental threats and hazards.

8.7.3. The University will ensure that any person(s) classified as visitors to the restricted facilities are suitably managed and appropriately supervised at all times.

8.8 Cyber and Information Security by Design

8.8.1. The University shall take appropriate steps to ensure its Information Systems and other digital infrastructure technologies are designed to be secure and resistant to cyber security incidents.

8.8.2. The University ensures that proof of origin, authenticity, and integrity of data are considered when designing and implementing technology solutions.

8.9 Network and Operational Security

8.9.1. The University is committed to ensuring appropriate security measures are in place to manage the identified risks and ensure the protection of information assets held in University Information Systems.

8.9.2. The University shall take appropriate steps to protect the confidentiality, integrity and availability of information assets to prevent unauthorised users and devices from gaining access to its Information Systems.

a. Access to information systems and services shall be based on the principle of least privilege.
b. All connected devices shall be appropriately configured, and monitored by Digital Services.

8.9.3. The University is committed to protecting the integrity of its information assets by having in place monitoring systems and processes which consolidate logs, identify cyber threats and support investigations.

8.9.4. All changes to the University’s Information Systems must be authorised and implemented in accordance with the Digital Services Change Management processes.

8.9.5. Staff, students and third parties must provide timely cooperation and all necessary information and access to support an investigation by the Digital Services Cyber Security Team.

8.9.6. Security measures will be documented and communicated to relevant stakeholders in the form of guidelines and processes.

Exemptions

Exemptions to this policy require the approval of:

either

• Executive Dean of the Faculty (for academics and students) or
• Registrar/Chief Operating Officer (for professional services and third parties)
and
• Chief Digital and Information Officer (CDIO)

All exemptions will be reviewed by the Cyber Advisory Team every six months to ensure that the exemption is still valid. Full details of the process to obtain an exception can be found on the Exemption Request Page.

Version

Cyber and Information Security Policy
Policy No. DS.CS.POL.002.v1.0

Version: V1.0
Data Classification: Official
Effective Date: 14/05/2024
Last Revised: 14/05/2024
Review Interval: Annual
Review Date: 14/05/2025
Approval Body: Senior Leadership Team
Policy Owner: CISO (Chief Information Security Officer)
Policy Author: Cyber Governance Manager