1 Introduction
1.1 Information is fundamental to the effective operation of the Department of Chemistry and, next to staff, is its most important asset. Failure to adequately secure information increases the risk of financial and/or reputational loss to the Department of Chemistry. These Information Security policies follow UIS policies with local explicit examples.
2 Purpose
The objectives of this policy are to:
2.1 Ensure that all information and information systems within the Department of Chemistry are protected to the appropriate level.
2.2 Ensure that all users are aware of and comply with this policy including sub-policies and all current and relevant UK and EU legislation.
2.3 To provide a safe and secure information systems environment for staff, students and any other authorised users.
2.4 Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle.
2.5 To protect the Department of Chemistry from liability or damage through the misuse of information or information systems.
2.6 Ensure that information is disposed of and/or deleted in an appropriately secure manner when it is no longer relevant or required. The following policies give examples of the management of data after it is no longer required:
https://www.ch.cam.ac.uk/computing/policy-orphaned-data
https://www.ch.cam.ac.uk/teaching/examinations-data-retention-policy
3 Scope
3.1 The Information Security Policy applies to information in all its forms, collectively termed ‘information assets’ within this document. It covers information in paper form, stored electronically or on other media, information transmitted by post, by electronic means and by oral communication, including telephone and voicemail. It includes text, pictures, audio and video. It applies throughout the lifecycle of the information from creation through storage and utilisation to disposal. Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations.
3.2 This policy applies to all staff, students and other members of the Department of Chemistry and also to third parties who interact with information held by the Department of Chemistry and the information systems used to store and process it, collectively termed ‘users’ throughout this document. This also includes visitors (in any capacity, including members of the public) who have been granted access to any Departmental IT resources.
3.3 For the purposes of this document, information security is defined as the preservation of:
Confidentiality (protecting information from unauthorised access and disclosure)
Integrity (safeguarding the accuracy and completeness of information)
Availability (ensuring that information and associated services are available to authorised users when required)
4 Information Security Principles
The following principles underpin this policy:
4.1 Information will be protected in line with all relevant Department of Chemistry policies, UK and EU legislation, specifically including GDPR.
4.2 It is the responsibility of all individuals to be mindful of the need for information security in the Department of Chemistry and to be aware of and comply with this policy including sub-policies and all current and relevant UK and EU legislation.
4.3 Each information asset will have a nominated owner who will be assigned responsibility for defining the appropriate uses of the asset and ensuring that appropriate security measures are in place to protect the asset.
4.4 All information will be classified according to a level of risk (section 5).
4.5 Information will be made available solely to those who have a legitimate need for access to it
4.6 It is the responsibility of all individuals who have been granted access to information to handle it appropriately in accordance with its classification.
4.7 Information will be protected against unauthorised access.
5 Information Classification
The following table provides a summary of the risk-based information classification levels that have been adopted by the Department of Chemistry. These classifications govern how we deal with a potential data breach, and the level of attention this breach receives.
Classification Level Description Examples
High Loss: misuse or unauthorised access to this data could result in significant financial loss, reputational loss and litigation.
Student data
Staff data
Financial data
Graduate and alumni data
Customers and clients
Other Personally Identifiable information
Medium Loss: misuse or unauthorised access could result in reputational loss and litigation.
Teaching data
Research data
Estates data
Governance records
Low Loss: misuse or unauthorised access could result in reputational loss.
Collections data
Public facing content
6 Legal and Regulatory Obligations
The use of information is governed by a number of different Acts of Parliament. All users have an obligation to comply with current relevant legislation which includes, but is not limited to:
Computer Misuse Act (1990)
The Data Protection Act (1998)
Freedom of Information Act (2000)
Copyright, Designs and Patents Act (1988)
Regulation of Investigatory Powers Act (2000)
Human Rights Act (2000)
Electronic Communications Act (2000)
Digital Economy Act (2010)
Obscene Publications Act (1959 & 1964)
Counter-Terrorism and Security Act (2015)
7 Breaches of Security
7.1 Any individual suspecting that the security of a computer system has been, or is likely to be, breached should inform one of the Chemistry Computer Officers immediately. They will advise on what steps should be taken to avoid incidents or minimize their impact, and identify action plans to reduce the likelihood of recurrence.
7.2 In the event of a suspected or actual breach of information security, Chemistry Computer Officers (with or without consultation) may require that any systems suspected of being compromised are made inaccessible.
7.3 Where a breach of security involving either computer or paper records relates to personal information, the University Data Protection Officer must be informed, as there may be an infringement of the Data Protection Act or GDPR.
8 Policy Awareness and disciplinary procedure
8.1 This policy will be made available to all new and existing staff, students and members of the Department of Chemistry. All other users of the Department of Chemistry’s information systems will be advised of the existence of this policy, which will be made available on the Department’s website.
8.2 All users are required to familiarise themselves with this policy and comply with its requirements.
8.3 Failure of an individual student or member of staff to comply with this policy may lead to the instigation of disciplinary procedures up to and including dismissal and, in certain circumstances, legal action may be taken. Failure of other users to comply may lead to revocation of access, the cancellation of a contract and, in certain circumstances, legal action. The Department of Chemistry may refer the user to the police where it reasonably believes a crime has been committed and will co-operate fully with any police investigations.
9 Governance
9.1 Responsibility for the production, maintenance and communication of this top-level policy document and all sub-policy documents lies with Department of Chemistry Head of IT
9.2 Each of the documents constituting the Information Security Policy will be reviewed annually. It is the responsibility of the Department of Chemistry Head of IT to ensure that these reviews take place. It is also the responsibility of the Department of Chemistry Head of IT to ensure that the policy set is and remains internally consistent.
9.3 Any substantive changes made to any of the documents in the set will be communicated to all relevant personnel.
10 Policy Set
For references, applicable UIS Policies can be found at the following address:
UIS policies | IT Help and Support (cam.ac.uk)
11 Additional Requirements
In addition to the guidance set out above, the normal security requirements must be complied with. Specifically:
- Never share passwords
- As a general rule, use only operating systems that are supported and fully patched up to date
- Where it is necessary to use an unsupported OS, network access will be restricted as described in the "Network access for legacy operating systems (https://www.ch.cam.ac.uk/computing/network-access-legacy-operating-systems)" policy. Such devices must be used solely for a specific research or teaching purpose, and must not be used for processing "High loss" data.
- Take appropriate University of Cambridge Cyber-Security Training ( see https://help.uis.cam.ac.uk/service/security )
- Use University of Cambridge approved anti-malware programs (see https://help.uis.cam.ac.uk/service/security/antivirus )
Reviewed 4th May 2023
