.. _information_policy: SRCPS Information Security Policy ********************************* .. note:: This document contains links to other policies which are not publically available. If access to these is required please submit a request to the :ref:`SRCPS helpdesk `. .. contents:: Table of Contents Purpose and Context ################### The Secure Research Computing Platform (SRCP) is designed, operated and maintained by University Information Services, to provide academic researchers of the University of Cambridge and other universities with high performance computation and data storage capabilities in a secure environment. We, the SRCP Services, are obliged to support our clients in their efforts to comply with relevant legislation and regulations and this must be included in the relevant service level agreements with them. Another consideration is to provide potential secure data hosting services to other groups, divisions and institutions in the future. This policy codifies the commitment of the Secure Research Computing Platform Service to protecting the information and information systems that comprise the Service and the information and held by the Service, in order to maintain compliance with the statutory, regulatory and contractual requirements for security of data of the academic research groups who use the service. The SRCP is committed to providing the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an Information Security Management System (ISMS) and demonstrating through independent certification the adherence of the ISMS to the international standard ISO27001:2022. The intended outcomes of the ISMS are: * Conformance with best practice information security, as evidenced by ISO27001 * Conformance with the NHS Data Security and Protection Toolkit * Conformance with other client security requirements * A secure platform for high performance computation and data storage Interested Parties ################## See Interested Parties [12] Document. Scope ##### After considering the context of the organisation and the needs and expectations of the interested parties, the following scope statement has been determined: The scope of the management system is the provision of a Secure Research Computing Platform Service to meet client (PI/Tenant) requirements including relevant regulatory obligations. This policy applies to all members of staff who work on or with the SRCP. "Member of staff" includes any person who is engaged by the University as an employee or worker and/or who holds a University office or post, as well as any person to whom the University makes available any of the privileges or facilities normally afforded to its employees. Where graduate students are working for the University in a teaching or related capacity, this policy will apply to them in that capacity as if they were employees of the University. Responsibilities ################ The ISMS Governance Group is responsible for reviewing and approving this policy, reviewing and approving the ISMS framework, overseeing the continuous improvement of the ISMS, and overseeing the management and maintenance of the risk treatment plan. The Head of Research Computing Services in University Information Services is responsible for implementing this policy and the information security controls specified by the ISMS, providing recommendations to the ISMS Governance Group for improvements to the policy and to the ISMS, and for facilitating reviews, audits and other assessments of the effectiveness of policy implementation. Members of staff of the SRCP and any parties identified in the Scope of the ISMS1 are responsible for acting in accordance with this policy, the Acceptable Use Policy [11] and the ISMS that implements this policy. Members of staff of the SRCP and any parties identified in the Scope of the ISMS1 are responsible for reporting security breaches in accordance with the Incident Reporting Procedure [8]. Definitions ########### Terms and definitions used in this policy can be found in Information Security Definitions [10]. Policy Statements ################# The Secure Research Computing Platform Service is committed to protecting the information and information systems that comprise the Service and the information and held by the Service, in order to maintain compliance with the statutory, regulatory and contractual requirements for security of data of the academic research groups who use the service. Information and information security requirements will continue to be aligned with SRCPS's goals and the Information Security Management System (ISMS) is intended to be an enabling mechanism for information sharing, operations and for reducing information-related risks to acceptable levels. The legal and contractual security requirements are documented in ID068 Complience [2]. The Risk Assessment Process [3], Statement of Applicability [4] and the Risk Treatment Plan [5] identify how information-related risks are controlled. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific tasks. The control objectives for each area are contained in the ISMS Manual [7] and are supported by specific documented policies and procedures. The ISMS is subject to continuous, systematic review and improvement. The full Information Security Objectives and the plan to achieve these objectives are documented in the Information Security Objectives and Plan [9]. The ISMS Governance Group will define and document a comprehensive set of policies that set out the position on information security of the SRCPS and they will be communicated to relevant personnel. This policy will be communicated as per the distribution list above. All staff must adhere to the Acceptable Use Policy [11]. Compliance ########## The consequences of breaching this policy are set out in the SRCPS disciplinary policy [6] and in contracts and agreements with third parties. Governance of this policy ######################### The ISMS Governance Group will review this policy, and for that purpose seek advice from the Head of Research and Institutional Services, the CISO, and any other persons it considers appropriate, no later than one year after issue or the most recent review. References ########## +----------+------------------------------------------+-----------+----------------------------------+ | Ref.No. | Document Title | Reference | Location | +----------+------------------------------------------+-----------+----------------------------------+ | 1 | Scope of the ISMS | ID003 | Available on Request | +----------+------------------------------------------+-----------+----------------------------------+ | 2 | Compliance | ID068 | Available on Request | +----------+------------------------------------------+-----------+----------------------------------+ | 3 | Risk Assessment Process | ID017 | Available on Request | +----------+------------------------------------------+-----------+----------------------------------+ | 4 | Statement of Applicability | ID023 | Available on Request | +----------+------------------------------------------+-----------+----------------------------------+ | 5 | Risk Treatment Plan | ID020 | Available on Request | +----------+------------------------------------------+-----------+----------------------------------+ | 6 | SRCPS HR Policy > DisciplinaryProcess | ID057 | Available on Request | +----------+------------------------------------------+-----------+----------------------------------+ | 7 | ISMS Manual | SRCP ISMS | Available on Request | +----------+------------------------------------------+-----------+----------------------------------+ | 8 | Incident Reporting Procedure | ID026 | Available on Request | +----------+------------------------------------------+-----------+----------------------------------+ | 9 | Information Security Objectives and Plan | ID009 | Available on Request | +----------+------------------------------------------+-----------+----------------------------------+ | 10 | Information Security Definitions | ID010 | Available on Request | +----------+------------------------------------------+-----------+----------------------------------+ | 11 | Acceptable Use Policy | ID024 | Available on Request | +----------+------------------------------------------+-----------+----------------------------------+ | 12 | Interested Parties Document | ID006 | Available on Request | +----------+------------------------------------------+-----------+----------------------------------+ Document Control ################ +--------------------+-----------------------------------+ | Title | ID008 Information Security Policy | +--------------------+-----------------------------------+ | Version | 1.0 | +--------------------+-----------------------------------+ | Originator | Madeleine Taylor | +--------------------+-----------------------------------+ | Issue | TBC | +--------------------+-----------------------------------+ | Protective Marking | Public | +--------------------+-----------------------------------+ | Last Update | 04/12/2018 | +--------------------+-----------------------------------+ | Next Review Date | 04/12/2019 | +--------------------+-----------------------------------+