Policy

Information Security Policy

Effective date: 18/12/25
Date of next review: 12/2028
Last updated: 18/12/2025
Download this document (Word, 76.2 KB)

1. Purpose and scope

1.1. The purpose of this policy is to set out the University’s aims and objectives for the management of information security throughout the University.

1.2. The scope of the Information Security Policy covers the storage, access, transmission and destruction of information, both physical and digital, in the course of Cardiff University business.

This policy applies to:

the conduct of staff, students and others with access to that information (wherever the information or they are located)
the applications, systems, equipment and premises that create, process, transmit, host, or store information, whether in-house, personally owned or provided by external suppliers

1.3. Information Security is defined as the preservation of confidentiality, integrity and availability of information. Further definitions of all key terms are found in section 8.

2. Relationship with other policies

2.1 This policy provides the overarching approach to the management of information security at Cardiff University and is the master policy document of the information security framework. All related policies shall be consistent with this policy.

3. Policy

3.1. Cardiff University is committed to preserving the confidentiality, integrity and availability of all its key information assets in order to maintain its competitive edge, legal and contractual compliance, and reputation. The information security framework (comprising this policy, supporting policies, processes and tools and the requisite management and decision-making structures) shall be an enabling mechanism for information sharing and for reducing information-related risk to acceptable levels.

4. Information security aims

4.1. The information security framework will deliver a compliant and enabling environment that balances information security with appropriate accessibility and provides the optimum level of risk management to support achievement of the University’s strategic goals.

4.2. Under the Information Security Framework, information assets will have an owner and information security controls applied to them.

4.3. The University will protect the security of its information assets to:

maintain the integrity and quality of information, so that it is accurate, complete, up to date and ‘fit for use’
make information available to those who need it, maintained for as long as the business need requires, and ensure there is no disruption to the business of the University
ensure that confidentiality is not breached, so that information is accessed only by those authorised to do so

thereby ensuring that the University meets its legal and regulatory obligations with respect to information handling, that business is conducted efficiently, that intellectual property is protected, and that the reputation of the University is safeguarded.

5. Information security objectives

5.1. The University will ensure that:

5.1.1. information security risks are managed, keeping risk exposure to acceptable levels by formally assessing, mitigating, and managing risk with reference to the University’s risk appetite

5.1.2. governance is applied that allocates ownership and accountability for information security risks and information assets, and the establishment of risk assessment policy and processes

5.1.3. the risk assessment methodology provides a consistent and systematic approach to estimating the magnitude of risks, and the process of comparing the estimated risk against risk acceptance criteria to determine their significance and monitor changes over time

5.1.4. the framework creates consistency of approach and clarity by ensuring that information security roles and responsibilities are clearly defined and articulated, such that all individuals understand their role and responsibilities with respect to information security

5.1.5 information security knowledge is shared and controls applied in the most efficient, effective and economical manner, maintaining high-level oversight via a coordinating body

5.1.6. appropriate information security controls are embedded into the design, build, transition, delivery and decommissioning of services, processes and technology;

5.1.7. the necessary tools and advice on information security are available throughout the University, such that all individuals can access the relevant advice, policy, procedure, training or tools in a timely manner

5.1.8. measures are taken to reduce the number and severity of information security incidents, and to ensure that appropriate steps are taken with respect to reporting to relevant external and Regulatory authorities. Information security incident recording, reporting and management systems are implemented and monitored, with outcomes informing future risk assessments

5.1.9. a supportive culture for information security is created within the University through clear management direction and demonstrated individual management commitment to the information security framework, including acknowledgement and explicit assignment of information security responsibilities, commitment to training uptake and reporting of security incidents

5.1.10. its information security framework is fit for purpose by utilising ISO/IEC 27001 Information Security Management Systems Requirements as guidance, conducting regular audits, and by a process of continual improvement, benchmarking itself with respect to information security against comparator institutions where possible

6. Role and responsibilities

6.1. Council has ultimate accountability for information security activities within the University. More specifically, it protects institutional reputation by being assured that clear regulations, policies, and procedures that adhere to legislative and regulatory requirements are in place, ethical in nature, and followed. Council needs to be assured that there are effective systems of control and risk management, and that governance structures and processes are fit for purpose by referencing them against recognised standards of good practice.

6.2. The Vice Chancellor, with advice from the University Executive Board, is responsible to Council for:

leading and fostering a culture that values, protects and uses information for the success of the University and the benefit of its members
defining the University’s information security risk appetite in the context of the prevailing legal, political, socio-economic and technological environment and external standards
ensuring that a fit-for-purpose and adequately resourced information security framework is in place, including this policy as the top-level reference document

6.3. The Senior Information Risk Owner (SIRO) is responsible for the University’s overall information security objectives and sponsors this policy. The SIRO shall be a member of the University Executive Board and shall be designated by the Vice-Chancellor. The Chief Operating Officer and University Secretary hold the role of SIRO and are therefore responsible for approving the need to develop or substantively amend this policy, presenting the final draft to the approving body and ensuring that their policy-making documents comply with, and are monitored and reviewed in line with the Cardiff University Policy for the Development of Policy-making Documents.

The SIRO holds delegated authority from the Vice Chancellor to approve minor changes to any policy within the Information Security Framework that does not:

significantly increase the scope of coverage of the policy
amend roles and responsibilities or policy requirements such that significant additional workload is placed on any individuals or teams
introduce policy requirements that create additional funding requirements
introduce policy requirements that may materially impact established practice within the university community

The key responsibilities of the SIRO are to:

ensure that this policy, the information security objectives, risk management approach, and required controls are compatible with the strategic direction of the University
ensure that information assets are identified; that the top-level information governance roles are allocated and that the post-holders are appropriately briefed on their information security roles and carry out their functions with due diligence
own the risks associated with the information security objectives and ensure that control action owners are identified;
ensure that exception procedures are in place to authorise at an appropriate level acceptance or mitigation of significant information security risks that deviate from agreed standards
determine when and by whom breaches of information security shall be reported to relevant external authorities
ensure there is clear direction and visible management support for security initiatives and promote continual improvement
ensure the Vice-Chancellor and Council are adequately briefed on risk management issues
establish the roles to support the implementation, maintenance, and delivery of the information security framework (Annex 1)

6.4. The Professional Services Board is responsible for providing strategic direction and focus to the activities of information security management across the University. The Professional Service Board assures the University Executive Board via the Chief Operating Officer and University Secretary, and chairs the Professional Services Board.

6.5. The Information Security Oversight Group will assure the Professional Services Board that the University continues to operate a robust and appropriate Information Security Management System. The key responsibilities of this group shall be to:

manage risks to the information security framework, and assess strategic implications of new or changed information security risks
monitor and assess the impact of changes within the regulatory landscape on the information security objectives, risks, policies and information systems
manage the review and update of existing policies and draft new policies as required
undertake annual reviews of the framework and initiate testing of the framework
facilitate the sharing of information security knowledge across the University
ensure controls are applied in the most efficient, effective and economical manner
develop tools, procedures and guidance to enable effective application of the framework
review metrics relating to the effectiveness of the framework, develop new metrics to identify trends, and propose action plans to remedy trends of concern

6.6. The Chief Digital and Information Officer is responsible for the implementation and maintenance of any appropriate technology controls (including cyber security controls) required to deliver the information systems required by this policy.

6.7 Heads of Schools/Departments/Colleges are responsible for:

ensuring that information assets in their areas of responsibility are identified, risks to them are assessed and managed
appropriate controls to protect information assets in their areas of responsibility are applied, and monitored to ensure their effectiveness
ensuring that staff are aware of the need to adhere to this policy and associated information security policies
ensuring that staff in the school/department/college comply with requirements for the completion of mandatory information security training, and monitor compliance with this requirement in their area of responsibility
reporting non-compliance via the defined and approved channels

6.8. All users (of university information systems and those handling or having access to university information outside of those systems) shall be responsible for:

complying with all relevant information security policies, regulations, practices and procedures, including any external accountability
complying with requirements for the completion of any information security training relevant to their role
reporting information security incidents via the defined and approved channels

7. Breaches of policy

7.1. Breaches of the Information Security Policy may be treated as a disciplinary matter dealt with under the University’s staff disciplinary policies or the Student Disciplinary Code as appropriate.

8. Definitions

Availability	means having appropriate access to Information Assets as and when required in the course of university business
Confidentiality	means the restriction of information to those persons who are authorised to receive or access it.
Data	means a collection of individual facts or statistics, and can come in the form of text, observations, figures, images, numbers, graphs, or symbols.
Information	means data that has a meaning to the University or can be interpreted to derive meaning and can be held as an electronic record or in a non-electronic format (such as paper, microfiche, photograph).
Information Asset	means Information that has value to the University. Key Information Assets are the most important types of information required for the achievement of the University’s strategic aims.
Information System	means a set of information-handling components that manage the University's Information Assets, including software applications, third-party services, information technology assets, handling controls, processes and procedures.
Integrity	means the completeness and preservation of information in its original and intended form unless amended or deleted by authorised people or processes
Quality	means the state of completeness, validity, consistency, timeliness and accuracy that makes data appropriate for both operational and strategic use.
Usable	means information that meets the university requirements for how it wants to use it (for example, to read, edit, or manipulate information).

Annex 1 – supporting information security governance roles

Role	Level	Responsibilities
Senior Information Risk Owner (SIRO)	University Executive Board Member	Accountable for ensuring that the information security policy and the associated objectives are compatible with the strategic direction of the University Own the risks associated with the information security objectives and ensure that control action owners are identified, including identifying key Information Assets and nominating Senior Business Owners Authorise acceptance or mitigation of significant information security risks that deviate from agreed standards Determine when and by whom breaches of information security shall be reported to relevant external authorities Ensure there is clear direction and visible management support for security initiatives and promote continual improvement Oversight of the implementation of the information security framework (including information security incident management), ensuring it is reviewed periodically and remains fit for purpose Ensure the Vice-Chancellor and Council are adequately briefed on risk management issues
Senior Business Owner	Heads of Professional Services Departments Or College Registrars Or Heads of School	Accountable for information security controls for information systems used within their business area, or for which they are nominated by the SIRO as the Senior Business Owner for information systems that cross multiple business areas Identify, own and apply appropriate mitigating actions for information security risks identified within their business area Ensure information is fit for operational and strategic use Confirm business purposes and required outcomes of information systems Accountable for information system-specific controls to ensure security of information, including compliance with the terms of any 3rd party license or other contractual terms applying to the University’s access to, or permitted use of, the information system Determine conditions under which information may be used (taking account of any legal obligations applying to that type of information), to safeguard confidentiality, integrity, and availability Nominate Business Owners for dedicated information systems
Business Owner	Senior Managers in Professional Service Departments, Colleges, or Schools	Responsible for information system-specific controls to ensure the security of information Define required information needs and outputs from information systems Balance and maintain the confidentiality, integrity and availability needs of the information under their control in the best interests of the University and in line with agreed risk appetite Confirm classifications of information within information systems Confirm information system user groups/roles with associated permissions Define appropriate access environments and user attributes Define appropriate backup and restore requirements Document and maintain an Information Security Specification for each information system Define information system auditing and monitoring report requirements In consultation with the University Records Manager, define retention and disposal requirements for information system records Assess risks within information systems Define information system-specific security processes and procedures Confirm service level agreement requirements for the availability of information systems
Senior Technical Owner	Chief Digital and Information Officer	Accountable for the technical aspects of information systems to ensure the security and integrity of data Nominate Technical Owners
Technical Owner	Senior Manager in University IT Or Service Supplier	Build and maintain technical aspects of information systems to meet the agreed design Set up and maintain data transfers; Implement authentication and access permission controls Implement antivirus and malware controls Implement back-up and restore capability Implement user attribute technical controls Implement auditing capability and produce monitoring reports as required Implement system retention and disposal requirements; Provide metrics for risk assessment Develop information security technical procedures, including implementing patching and security maintenance protocols Ensure that security systems and penetration testing take place at appropriate intervals

Document control table

Document title:	Information Security Policy
Author(s):	Owen Hadall, Director of IT
Effective date:	18 December 2025
Date of next review:	December 2028
Superseded version:	2.2