Ownership of information security
As a head of division, head of department or faculty board chair, you are ultimately accountable for information security arrangements within your area. You can delegate the responsibility, but not the accountability – even when using the services of other departments or third-parties. It is important to familiarise yourself with the University’s Information Security Policy, so you understand how information security is managed across the University, and to set the tone for information security within your unit.
Specific information security requirements
At the most basic level, you simply need to adhere to the University's Information Security Policy. However, your division, department or faculty may need to comply with other specific information security requirements. As a head of division, department or faculty board chair you should be aware of what these requirements are and how you comply with them. They may include:
- PCI DSS for secure handling of payment card data
- NHS DSPT for secure handling of data from NHS Digital
- Specific legal or contractual requirements with research councils or partners
- Security requirements of other third parties
- Security requirements of the UK GDPR
One way to document these would be in a short page policy document or similar, for which there are templates available for you to use. There is no requirement to do this, as long as they are incorporated in your department/division/faculty documentation.
Also bear in mind that whilst information security contributes towards compliance with data protection law, they are not the same thing and you are obliged to make sure you’re compliant with all data protection principles. Details of these can be found on the data protection website.
Roles and responsibilities
We recognise that you will likely need to devolve responsibility for the day-to-day management of information security, so you should document how this is done. As a minimum, you should define and document:
- Who is accountable
- A point of contact for the central Information Security team to liaise with on general security issues
- Responsibility for coordination of day-to-day information security activities within your division, department or faculty (i.e. who will coordinate responses to reports, risks and mitigating actions)
- Responsibility for managing your IT infrastructure and security arrangements
- A point of contact for, and responsibility for coordinating responses to, information security incidents
These responsibilities may be shared among one or more staff members and/or across one or more roles, but all involved should be made explicitly aware of their individual responsibilities.
Information security framework
Remember, information security is not just an IT issue, it is about people and processes as well as the technology. Your senior management group should be aware of, and take ownership over, responses to incidents, risks and other issues relating to information security within your division, department or faculty. To embed information security into your management framework it should be a standing agenda item in at least one regular senior management meeting to cover (for example):
- Known risks
- Recent and ongoing incidents
- Reports on compliance
- A review of new or outstanding actions
The Information Security team will provide you with tools so that you can monitor compliance with University policies, receive regular reports on security incidents and be alerted to current threats. Your senior management group should review these issues on a regular basis and ensure that there is appropriate ongoing provision of resources and support to address risks within your division, department or faculty.