CoP1 - IS Risk Assessment
1. INTRODUCTION AND DEFINITIONS
1.1 Imperial College has legal obligations to protect information held by the College. Failure to do so could have major consequences for the College and individual staff and students. Loss of research data, or personal information about staff or students being released publically, could be detrimental or very distressing to the staff member/student involved. A large scale data protection breach could be hugely damaging to the College’s reputation, and could result in a fine of up to £500,000.
1.2 The purpose of the Information Security Risk Assessment is to carry out a security assessment of the assets and raise awareness of information risk management with all staff across College, and to encourage departments to request additional support in managing these risks where appropriate.
1.3 An information asset is defined as a logical collection of information recorded on written / printed documents or in electronic files / databases / documents.
1.4 Information Asset Register is a list of logical information collections across the College, e.g. employee paper records in H/R, filed supplier invoices in Finance, data held for research in an academic department, etc. Information Asset register contains information description, ownership, accessibility, whether it contain sensitive data or not, how it is kept secure and its retention. Please see Appendix A for the details.
1.5 College Leavers / Movers processes should include a check of Information Asset Register to hand over any responsibilities properly.
2.1 Heads of Departments and Divisions (HoD)
Heads of Departments Divisions are responsible for:
• identifying all information assets within their department/division.
• allocating an information asset owner for each information asset.
• making information asset owners aware of their responsibilities listed below.
• all devices connected to the College network are registered with ICT.
2.2 Information Asset Owners
Information Asset Owners are responsible for:
• Complying with the terms and conditions of use of software assets, particularly that all software used are properly licensed.
• Putting measures in place that assets secured or encrypted by passwords or keys are not known to single individuals only, and are recoverable via secure means.
• That any patient data kept in information assets are protected in accordance with this Code of Practice.
• Carrying out an information security risk assessment for every asset they own as a prerequisite of any third party access to the asset.
2.2.1 Information Asset Owners must ensure that the security of their asset meets the requirements of the College’s Information Security Policy, such that:
• All users are properly authorised before they may access the information.
• Appropriate levels of security are adopted according to the value and/or sensitivity of the information.
• They must report any incident which results in, or has the potential to result in, a breach of security to the ICT’s Service Desk immediately. Concerned individuals may contact any senior members of ICT or College directly.
• They must carry out an annual security assessment of their systems as part of the annual information asset register review as described in Section 3.
2.2.2 Every Information Asset Owner agrees to take at all times every reasonable care to ensure that all material held on information assets they own:
• are lawful.
• comply with Section 11 "Conditions of Use of IT Resources (Acceptable Use Policy)" in the College’s Information Security Policy.
• do not contain links to unlawful material or material that does not comply with the College Conditions of Use of (IT) Facilities.
• do not, purport to promote or comment, in the College's name, upon any commercial goods, products or services, unless approved by a head of Department.
• do not purport to promote or comment upon any company, partnership, consortium or consultancy or any "private" activity of the Information Asset Owner or any other person, unless approved by a Head of Department.
2.2.3 Any individually owned information on College information assets:
• Should not display coat-of-arms, crest, logo, logotype, page layout or format belonging to Imperial College.
• The material must be relevant to or associated with the information owner's authorisation to use College IT facilities.
• These regulations and the appearance of individually owned information, howsoever referenced, do not imply in any way whatsoever that the College approves or endorses individually owned information or takes any responsibility for individually owned information itself or any material or opinions contained therein.
• An approved disclaimer must appear on all individually owned information indicating that this information is not formally published by the College.
3. INFORMATION SECURITY RISK ASSESSMENT
3.1 All staff at Imperial are responsible for following good information security practice to ensure information held by the College is properly protected, irrespective of the format in which it is held. Heads of Departments (HoDs) are expected to have oversight of the information security practice in their department, as part of their management responsibilities. As part of this process, HoDs are required to review and update the College Information Asset Register as part of an Information Security Risk Assessment process by 31 July every year.
3.2 The asset register also allows ICT Security to identify specific information assets where departments may benefit from specialised ICT support, and to plan information security audits. Although the information asset register is managed by ICT, consideration should also be given to the security of paper records.
3.3 HoDs may delegate responsibility for completing the information asset register to nominated person(s) in their department, but must personally sign off the final submission. This information owner is responsible for the information asset and the main point of contact for the asset.
3.4 Information assets are to be identified as logical collections. That is, information collected for a research study could be held in various media including a number of laptops, a group space drive and USB sticks. This should be recorded as one entry describing each medium and how they are kept secure.
3.5 Information held in ICT systems and managed by the ICT Department have been pre-filled in the Register. HoDs (or their delegate) are not required to fill this information again. For example, Finance and HR Information kept in College's ICIS system is already included as part of the ICIS entry, so HR and Finance departments do not need to re-enter these. Another example, research grant application information is already included as part of the corresponding ICT system entry, so there is no need for departments to capture this again unless they keep research grant entry information in any other medium other than this ICT system. However, if a Department extracts data from College core systems for the purposes of analysis, reporting, research or teaching, this should be recorded separately.
3.6 Departments must declare any information assets held by the department. Please list any additional systems purchased locally for digital/records storage, as ‘departmental system’ assets. Departments should contact ICT Security via the ICT Service Desk if they require advice in declaring additional information assets. Examples of such assets include cloud storage systems and paper filing systems.
3.7 When reviewing the information assets for their department, HoDs should consider:
• Any new information assets that need to be added to the register
• Any information assets that are no longer in use and can be removed from the register
• Any information assets where use has changed, where the asset register needs to be updated
• Any policy changes that affect the way information assets are used by the department
3.8 A Be Secure factsheet is sent to HoDs as part of the annual information asset register exercise, and provides key tips on information security for all staff. HoDs should circulate this sheet to all staff in their department as part of the annual information asset register exercise.
3.9 It is recognised that HoDs (or their delegate) will not have comprehensive knowledge of all the information which staff in their department are working with, or all the ways this information is stored. Departments are encouraged to reflect broadly on the key risks associated with information the department holds, and where this information is stored, when completing the information asset register. Departments may find it helpful to focus on the transmission of data, especially where data is sensitive or transmitted outside of the College. Please contact ICT Security via the ICT Service Desk for further guidance.
APPENDIX A: STRUCTURE OF INFORMATION ASSET REGISTER
• Type of information asset (generic, ICT system or Departmental system). Please indicate the type of information asset:
o Generic: Information assets which can be used to store generic data by anyone in College regardless of them being provided by ICT or not, e.g. local data storage on a PC or a mobile device; Microsoft OneDrive; Home Drive; E-mail, etc. The asset register will provide general guidelines in relation to storage of generic data. This guidance is also available on ICT’s “Be Secure” website.
o ICT provided system / service: Information assets associated with services provided by ICT to store and process specific data, usually for a targeted user base, e.g. ICIS (for processing Finance and H/R data), IPMS (Intellectual Property Management System), Pythagoras (College Space Database), etc.
o Departmental specific system: Information assets stored and processed by a specific area of the College, which could be related to educational, research or administrative purposes. These could be paper or electronic records.
• Name of information asset
• Description of the information asset Please provide a brief description of the information asset. Where possible, please provide a brief overview of the kinds of information held.
• Location Where is this data physically stored? For example, on a local computer, in the central College system, on an offsite server.
• Information Asset Owner Who is responsible for the information stored in this information asset, and is the point of contact for queries about this information asset? (This person may be known as the ‘business owner’ (for systems co-ordinated by ICT) or ‘information owner’.)
• Responsible Department Which department is accountable for this information asset? (Most likely the department of the 'information owner')
• Who has access to this asset? Please describe briefly the group of people who have access to this information asset – e.g. staff in a particular team, all staff in a Faculty. It is particularly important to note if any non-College employees have access to the data held on this information asset.
• Does the asset contain sensitive data? What are the risks associated with this data and how are they mitigated? Sensitive data includes:
o Commercially sensitive administration or research data
o Sensitive personal data, as defined in the Data Protection Act. This encompasses information related to an individual’s racial or ethnic origin, religious beliefs, physical or mental health or condition, sexual life, political opinions, trade union membership, or criminal convictions or proceedings.
o Personal financial data
o Patient Identifiable Data held for research purposes
o Data relating to sensitive areas of research
o Personal data, not included in the categories above, but where accidental release of the data is likely to be detrimental or distressing to the individuals the data is about. This could include, for example, students’ grades or academic progress reports, students’ mitigating circumstances claims, students’ appeals or complaints, records relating to College staff or student disciplinary proceedings, opinions about members of staff, staff PRDPs or personal information held for purposes relating to the prevention of terrorist activities. For further advice about whether your data needs to be treated as sensitive data, please contact ICT Security via the ICT Service Desk
Please contact ICT Security via the ICT Service Desk if you require advice in identifying and mitigating risks associated with data held on this information asset.
• How is the information kept secure? Please provide a brief description of how the information is kept secure (e.g. is access password protected, are paper records containing sensitive data kept in a locked filing cabinet and how are the keys stored?) NB. Don’t write down your password or the location of your keys here!
• Back-up, Resilience and Disaster Recovery arrangements What arrangements are in place to recover data and/or maintain functionality in case of loss or corruption of data / system(s), including disaster level events.
• Archiving and retention arrangements How long is the information kept for, and what is the process for identifying information that is no longer needed and securely destroying it? You may wish to consult the College Retention Schedule for guidance on how long certain records should be retained.
APPENDIX B Information Asset Risk Register Template