8.1 Cyber and Information Security Management
8.1.1. The Cyber and Information Security Policy supports the University and Digital strategic visions by defining the high-level approach taken to reducing associated risks to its security, reputation, finances and operations.
8.1.2. The information managed by the University shall be appropriately secured to protect confidentiality, integrity and availability.
8.1.3. Proportionate security measures shall be put in place to protect Information Systems from cyber and information associated risks. The University will protect the security of its information assets in order to:
• Maintain the integrity and quality of information so that it is accurate, up to date and fit for purpose.
• Make information available to those who need it and ensure there is no disruption to University business.
• Ensure that confidentiality is not breached so that information is accessed only by those authorised to do so.
• Provide assurance of non-repudiation.
8.1.4. The University will develop and communicate Cyber and Information Security Policies, guidelines and processes that all staff, students and third parties are required to comply with thereby ensuring it meets its legal and regulatory compliance requirements.
8.1.5. The University is fully committed to fulfilling its Prevent Duties.
8.1.6. The University acknowledges that every member of staff, student and third party has a responsibility in relation to Cyber and Information Security. The University has committed to a programme of awareness, training and education in order to address this obligation.
8.1.7. Security controls will be documented and communicated to all relevant stakeholders.
8.2 Cyber and Information Security Risk Management
8.2.1. The University shall take appropriate steps to identify, assess, and manage security risks to the University Information Systems and any other technologies that make up the University’s Digital estate.
8.2.2. An organisational approach shall be taken to Cyber and Information Security Risk Management, with Cyber and Information Security Risks managed as part of Swansea University’s Risk Management Framework to ensure that risks are managed in accordance with the University’s defined risk appetite.
8.3 Cyber and Information Asset Management
8.3.1. The University’s information, hardware and software assets shall be recorded in accurate and up to date asset registers, including details of business owners.
8.3.2. Asset information records shall be sufficient to enable risk-based decision making, reduce risk of compromise by weakness in hardware and software, protect assets against loss, meet compliance requirements, and inform contracts.
8.3.3. The University will ensure that the asset registers are regularly checked for discrepancies, protected to ensure their accuracy and are reviewed.
8.4 Cyber and Information Access Management
8.4.1. Access to University Information Systems is controlled, managed, and monitored through policies, guidelines and processes.
8.4.2. Unique user account credentials are used to control staff, student and third party access to University Information Systems and locations as needed for their functional role and tasks.
8.4.3. All accounts must be protected using dual factor, wherever possible. Where passwords are used, they must be complex and difficult to guess in accordance with latest NCSC advice.
8.4.4. Administrative and/or Privileged user accounts shall be used only when needed for administrative or elevated activities and not for day-to-day work tasks, regularly reviewed and removed when no longer required. Access privileges for all user accounts shall be granted in line with and by applying the principle of least privilege.
8.4.5. The University shall utilise an Identity and Access Management system for controlling user accounts throughout their lifecycle. The system will ensure that unique account credentials are created, updated and removed in a timely manner to control access to Information Systems and locations necessary for the role’s function.
8.4.6. The University will ensure that appropriate Identification, Authorisation, Accounting and Auditing measures are in place for all Information Systems. An appropriate level of logging, monitoring and retention shall be implemented.
8.5 Cyber and Information Business Resilience
8.5.1. The University shall take appropriate steps to ensure Information and Cyber Security is embedded within the organisation’s business continuity management systems and is an intrinsic part of business continuity planning.
8.5.2. The University shall ensure that well defined Cyber Incident Management processes are in place, documented and regularly tested.
8.5.3. The University is committed to identifying and resolving Cyber and Information Security incidents quickly, effectively and in line with compliance requirements:
a. The University will identify, respond to, and recover from Cyber and Information Security incidents to minimise the business impact and reduce the risk of similar incidents occurring.
b. The University will conform to statutory and contractual requirements in relation to reporting.
c. The Cyber Incident Response Team shall be responsible for managing Information and Cyber Security incidents.
d. A review shall take place after each such incident to identify the root cause, highlight improvements and any lessons learned that can be applied to improve the process.
8.5.4. The University will complete a programme of risk assessment and mitigation that will ensure detailed disaster recovery plans are documented for each business-critical digital service, to enable that service to be restored within the agreed timescale in the event of a major failure.
8.5.5. The University will develop, document and test a set of plans to enable business services to continue to be delivered to an agreed level, in the event of a disaster or emergency affecting Information Systems. These plans will be made available to relevant stakeholders.
8.5.6. Cyber and Information Business Continuity and Disaster Recovery Plans will be developed as part of the University Business Continuity Plans. Cyber and Information Plans will be regularly tested and reviewed, to ensure the plans are effective and fit for purpose.
8.6 Device and Service Management
8.6.1. The University is committed to ensuring fixed and portable digital devices used to access the University information systems are managed securely and protected from cyber risk throughout their lifecycle.
8.6.2. University owned fixed and portable end-user computing devices shall be centrally managed and securely configured in line with accepted good-practice standards.
8.6.3. The University is committed to ensuring fixed and portable storage media devices are appropriately secured and managed so that information and systems are protected whilst data is in-transit and at-rest.
8.6.4. The University supports ‘bring your own device’ (BYOD) providing it meets the minimum security standards which will be enforced by conditional access controls.
8.7 Cyber and Information Physical Security
8.7.1. The University will restrict physical access to its facilities, such as data centres and network equipment rooms, to authorised personnel and managed in accordance with documented access control processes.
8.7.2. The University shall ensure that appropriate processes are in place to reduce the physical risks to its information, systems and services from internal and external environmental threats and hazards.
8.7.3. The University will ensure that any person(s) classified as visitors to the restricted facilities are suitably managed and appropriately supervised at all times.
8.8 Cyber and Information Security by Design
8.8.1. The University shall take appropriate steps to ensure its Information Systems and other digital infrastructure technologies are designed to be secure and resistant to cyber security incidents.
8.8.2. The University ensures that proof of origin, authenticity, and integrity of data are considered when designing and implementing technology solutions.
8.9 Network and Operational Security
8.9.1. The University is committed to ensuring appropriate security measures are in place to manage the identified risks and ensure the protection of information assets held in University Information Systems.
8.9.2. The University shall take appropriate steps to protect the confidentiality, integrity and availability of information assets to prevent unauthorised users and devices from gaining access to its Information Systems.
a. Access to information systems and services shall be based on the principle of least privilege.
b. All connected devices shall be appropriately configured, and monitored by Digital Services.
8.9.3. The University is committed to protecting the integrity of its information assets by having in place monitoring systems and processes which consolidate logs, identify cyber threats and support investigations.
8.9.4. All changes to the University’s Information Systems must be authorised and implemented in accordance with the Digital Services Change Management processes.
8.9.5. Staff, students and third parties must provide timely cooperation and all necessary information and access to support an investigation by the Digital Services Cyber Security Team.
8.9.6. Security measures will be documented and communicated to relevant stakeholders in the form of guidelines and processes.