SRCPS Information Security Policy

Note

This document contains links to other policies which are not publically available. If access to these is required please submit a request to the SRCPS helpdesk.

Table of Contents

• SRCPS Information Security Policy

  • Purpose and Context

  • Interested Parties

  • Scope

  • Responsibilities

  • Definitions

  • Policy Statements

  • Compliance

  • Governance of this policy

  • References

  • Document Control

Purpose and Context

The Secure Research Computing Platform (SRCP) is designed, operated and maintained by University Information Services, to provide academic researchers of the University of Cambridge and other universities with high performance computation and data storage capabilities in a secure environment.

We, the SRCP Services, are obliged to support our clients in their efforts to comply with relevant legislation and regulations and this must be included in the relevant service level agreements with them.

Another consideration is to provide potential secure data hosting services to other groups, divisions and institutions in the future.

This policy codifies the commitment of the Secure Research Computing Platform Service to protecting the information and information systems that comprise the Service and the information and held by the Service, in order to maintain compliance with the statutory, regulatory and contractual requirements for security of data of the academic research groups who use the service.

The SRCPS is committed to providing the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an Information Security Management System (ISMS) and demonstrating through independent certification the adherence of the ISMS to the international standard ISO27001:2013.

The intended outcomes of the ISMS are:

• Conformance with best practice information security, as evidenced by ISO27001

• Conformance with NHS IG Toolkit and NHS Data Security Protection toolkit

• Conformance with other client security requirements

• A secure platform for high performance computation and data storage

Interested Parties

See Interested Parties [12] Document.

Scope

After considering the context of the organisation and the needs and expectations of the interested parties, the following scope statement has been determined:

The scope of the management system is the provision of a Secure Research Computing Platform Service to meet client (PI/Tenant) requirements including relevant regulatory obligations.

This policy applies to all members of staff who work on or with the SRCP. “Member of staff” includes any person who is engaged by the University as an employee or worker and/or who holds a University office or post, as well as any person to whom the University makes available any of the privileges or facilities normally afforded to its employees.Where graduate students are working for the University in a teaching or related capacity, this policy will apply to them in that capacity as if they were employees of the University.

Responsibilities

The ISMS Governance Group is responsible for reviewing and approving this policy, reviewing and approving the ISMS framework, overseeing the continuous improvement of the ISMS, and overseeing the management and maintenance of the risk treatment plan.

The Head of Research Computing Services in University Information Services is responsible for implementing this policy and the information security controls specified by the ISMS, providing recommendations to the ISMS Governance Group for improvements to the policy and to the ISMS, and for facilitating reviews, audits and other assessments of the effectiveness of policy implementation.

Members of staff of the SRCPS and any parties identified in the Scope of the ISMS1 are responsible for acting in accordance with this policy, the Acceptable Use Policy [11] and the ISMS that implements this policy.

Members of staff of the SRCPS and any parties identified in the Scope of the ISMS1 are responsible for reporting security breaches in accordance with the Incident Reporting Procedure [8].

Definitions

Terms and definitions used in this policy can be found in Information Security Definitions [10].

Policy Statements

The Secure Research Computing Platform Service is committed to protecting the information and information systems that comprise the Service and the information and held by the Service, in order to maintain compliance with the statutory, regulatory and contractual requirements for security of data of the academic research groups who use the service.

Information and information security requirements will continue to be aligned with SRCPS’s goals and the Information Security Management System (ISMS) is intended to be an enabling mechanism for information sharing, operations and for reducing information-related risks to acceptable levels.

The legal and contractual security requirements are documented in Client Requirements [2].

The Risk Assessment Process [3], Statement of Applicability [4] and the Risk Treatment Plan5 identify how information-related risks are controlled.

Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific tasks and the control objectives for each area are contained in the ISMS Manual [7] and are supported by specific documented policies and procedures.

The ISMS is subject to continuous, systematic review and improvement.

The full Information Security Objectives and the plan to achieve these objectives are documented in the Information Security Objectives and Plan [9].

The ISMS Governance Group will define and document a comprehensive set of policies that set out the position on information security of the SRCPS and they will be communicated to relevant personnel.

This policy will be communicated as per the distribution list above.

All staff must adhere to the Acceptable Use Policy [11].

Compliance

The consequences of breaching this policy are set out in the SRCPS disciplinary policy6 and in contracts and agreements with third parties.

Governance of this policy

The ISMS Governance Group will review this policy, and for that purpose seek advice from the Head of Research and Institutional Services, the CISO, and any other persons it considers appropriate, no later than one year after issue or the most recent review.

References

Ref.No.	Document Title	Reference	Location
1	Scope of the ISMS	ID003	Available on Request
2	Client Requirements	ID007	Available on Request
3	Risk Assessment Process	ID017	Available on Request
4	Statement of Applicability	ID023	Available on Request
5	Risk Treatment Plan	ID020	Available on Request
6	SRCPS Disciplinary Policy	ID025	Available on Request
7	ISMS Manual	ID027	Available on Request
8	Incident Reporting Procedure	ID026	Available on Request
9	Information Security Objectives and Plan	ID009	Available on Request
10	Information Security Definitions	ID010	Available on Request
11	Acceptable Use Policy	ID024	Available on Request
12	Interested Parties Document	ID006	Available on Request

Document Control

Title	ID008 Information Security Policy
Version	1.0
Originator	Madeleine Taylor
Issue	TBC
Protective Marking	Public
Last Update	04/12/2018
Next Review Date	04/12/2019