Information Security Framework Programme

What is the Information Security Framework Programme?

The Information Security Framework Programme is a University wide programme which will deliver improvements to the security (which covers confidentiality, integrity and availability) of information held by Cardiff University, including personal data and research data.

What is the programme aiming to achieve?

The programme will put in place a strategic framework that allows security of information to be balanced with appropriate accessibility of that information, taking into account the real risks associated with inappropriate disclosure, loss, theft or corruption.

Cardiff University will be seen as an institution which protects the personal information of its staff and students and one that offers a secure environment for research data. The introduction of a clear, consistent and logical approach to data security, coupled with the right technological tools and organisational measures, will also be of benefit in terms of staff satisfaction and productivity. It will also enhance the University's ability to compete for and secure research grants in fields involving sensitive data.

How is the programme being managed?

A Programme Manager. Mrs Ruth Robertson, has been appointed to oversee the project and she reports to a Steering Group of representatives from Colleges and Professional Support Services which is chaired by the Chief Operating Officer, Mr Hugh Jones. A cross University Operations Group also meets to ensure that proposals are reasonable and workable in practice and to assist with communications with stakeholders. A Business Change Manager is currently being recruited.

What is the timescale of the programme?

The programme is scheduled to complete in July 2015. Initially the policy and strategic aspects of the framework will be put in place, then key Information Assets and their owners will be identified and risk assessed. Applicable security controls will then be identified based on a strategic assessment of the risks the institution faces and a risk treatment plan agreed. The final stage will see the implementation of the agreed and co-ordinated measures (including policies, practices, training and tools) to complete the framework and an on-going information security management system will be set in place.

What does this mean for me?

All staff may be affected by changes to policies and procedures relating to how they access and where they choose to store University information. The programme aims to ensure that these practices and decisions are consistent, cost effective and reflect the level of security that the University has decided is appropriate in relation to the information being accessed. Some staff may also be asked to take part in Risk Assessment Workshops throughout the first half of 2013.

Is the programme just about electronic information and IT?

No – the security of information should be addressed consistently regardless of the format of the information, so whilst more and more information is held created and electronically and IT systems and processes will be a fundamental part of the programme, it will also look at the security of non-electronic records such as paper files and human behaviours. Staff awareness and training is a very key component of an information security framework.

What are the next steps?

The programme team have developed proposals for the governance framework that will be required in order to manage information security risk at a strategic level and identified an appropriate risk assessment methodology. The output of this work, along with a plan for the second stage, will be presented to the University for approval in December 2012. From late January onwards a series of risk assessment workshops with key stakeholders will be arranged.

How do I find out more information about the project?

Further briefings will follow during later phases of the programme. In the meantime, feel free to join the Information Security Framework Community on Connections which has a blog providing regular updates. Any specific queries should be directed to the Programme Manager: Ruth Robertson (GOVRN) RobertsonR@Cardiff.ac.uk or telephone 029 208 75767.