This policy states ISER’s commitment to the security of the information entrusted to it and applies to all information assets that fall within the scope of ISER’s certification to 27001.
Information Security Policy
ISER is an intellectually open, research-driven academic department of the University of Essex in which information - in particular, that provided by others - is a critical resource and, along with the personnel who manage and process it, the most valuable asset that belong to us. The information we use exists in many forms: on paper, digitally, in films and podcasts, and in spoken conversation. Information must always be appropriately protected regardless of how it is stored or communicated.
Information security is concerned with protecting its confidentiality – information must be available only to those authorised to access it – and guaranteeing its availability and integrity- accurate and complete information must be accessible to authorised individuals. Effective information security is achieved by appropriate management practices in compliance with legislative, University and contractual requirements.
ISER is responsible to the stakeholders who supply us with information management and research purposes. Our stakeholders include:
- The University of Essex
- Our funders, clients and data suppliers
- Our academic and survey partners
- Our survey participants
Our stakeholders expect us not only to meet their service requirements, but also to value their information as highly as do they and to meet the information security requirements they demand of us. We are committed to meeting these expectations and to providing our stakeholders with the confidence that we are doing through our business continuity arrangements and our information security management system. (ISMS)
To achieve this, ISER's overriding information security objective is
- to maintain an information ISMS that is independently accredited as compliant with the ISO 27001 Information Security Management Standard and which applies to all ISER personnel and all computers, networks and information managed by, and all users authorized by ISER. It relates to their use of any IT facilities for which ISER is responsible and to all private systems when accessing those facilities; to all ISER-owned or licensed data and programs (wherever stored); to all data and programs supplied toISER by clients, funders or other external parties; to paper documents and records created as part of ISER business.
- To provide cost-effective protection of all ISER’s IT facilities and information assets, whether digital or paper base, created by ISER or provided and controlled by others, and to dispose of them securely at the end of their life
- To ensure that ISER personnel are aware of and act in compliance with our ISMS, relevant legislation, and University and contractual requirements, and that they are aware of their individual responsibility for protecting the confidentiality and integrity of the information which they handle.
- To ensure that members of ISER with specific responsibilities under our ISMS over and above those expected of all members, including Information Risk Owners and technical staff, are aware of those responsibilities and act in accordance with them.
- To respond quickly and effectively to information security incidents, communicating effectively with affected stakeholders and improving our information security management as a result
Within this framework, the objectives are:
ISER will continually improve its ISMS through regular internal and external audits, and timely correction of non-conformities; modifications to our ISMS in light of the emergence of new threats and opportunities; and through a regular process of management review that will take place at least once a year. The management review will, as required, set other information security objectives and ensure that they are communicated to the relevant parties.
Document Version: 3.4 / Date: 2017-08-30