Information Security Framework Testing Policy
- Version 2.2
- Effective date:
- Date of next review:
- Last updated:
- Download this document (Word, 51.2 KB)
1. Purpose and scope
1.1. The University’s Information Security Framework must remain fit for purpose. Accordingly, this policy establishes a requirement for regular testing of the effectiveness and adequacy of information security controls, defining the objectives and scope of those tests and related responsibilities.
1.2. This policy covers the University’s Information Security Framework using the same scope as set out in the Information Security Policy.
2. Relationship with existing policies
2.1. This policy forms part of the Information Security Framework. It should be read in conjunction with the Information Security Policy and all supporting policies.
3. Policy
3.1. The Information Security Framework shall be tested regularly to assess the effectiveness and adequacy of the current set of information security controls vis a vis the information security objectives and to identify opportunities for continual improvement.
3.2. The tests shall focus on risk areas identified in the periodic risk assessments of information assets, audit reports, management reviews and information security incident reports as appropriate.
3.3. Tests of the adherence to, effectiveness and adequacy of current information security controls and related processes may take the form of process reviews, internal or externally delivered vulnerability assessments, network and/or physical penetration tests. Tests will use both IT and/or social engineering methods, and/or phishing exercises.
3.4. A testing schedule, including the nature, objectives and timing of University-wide behavioural testing exercises, shall be proposed as part of the Annual Review of the framework and be approved by the Professional Services Board.
3.5. The outcomes of the testing shall be presented in a report submitted to the Professional Services Board and shall inform the annual Information Security Framework Review.
4. Roles and responsibilities
4.1. The Chief Operating Officer and University Secretary, in their role as the Senior Information Risk Owner, is the sponsor for this policy, and responsible for approving the need to develop or substantively amend the policy, for presenting the final draft to the approving body and for ensuring that their policy-making documents comply with, and are monitored and reviewed in line with the Cardiff University Policy for the Development of Policy-making Documents.
4.2. The Senior Information Risk Owner is responsible for ensuring that regular testing of information security controls has been conducted in accordance with this policy.
Document control table
| Document title: | Information Security Framework Testing Policy |
|---|---|
| Author(s): | Owen Hadall, Director of IT |
| Version number: | 2.2 |
| Date approved: | 18 December 2025 |
| Effective date: | 18 December 2025 |
| Date of next review: | December 2028 |
| Superseded version: | 2.1 |