Blavatnik School of Government Information Security Policy

Council has executive responsibility for information security within the University, with responsibilities flowing down through the Chief Information Security Officer, through to Heads of Department and Faculty Board Chairs and Users.

These arrangements are formalised and published in the University's Information Security Policy.

The Blavatnik School of Government has adapted our own policy from the University's template Information Security Policy to:

• Define the scope and objectives for the management of information security at the School,
• Define an information security management framework,
• Set out responsibilities and governance principles.

The policy was approved by SRG in July 2017, and will be reviewed annually.

BSG Information Security Policy.pdf

Logging Information Security Incidents

All information security incidents must be logged with the BSG ICT team by email ict@bsg.ox.ac.uk or in in the case of a serious incident in person (office 2.14) or by phone ((01865 6)14394).

Information security incidents commonly include, but are not limited to:

• lost or stolen laptops or mobile devices
• server compromises
• malware infections
• compromised accounts (e.g. accounts spamming)
• unauthorised access to information systems

A fuller description of the Incident Management process is available here: Infosec Incident Management policy.pdf

Use of Mobile devices

Users are permitted to access University services, content and data on Mobile devices including personal smartphones and tablet computers which meet the following security requirements:

• Protected by a PIN or Passphrase
• Automatically lock after a short period of inactivity
• Can be remotely wiped if lost or stolen
• Is encrypted
• Uses applications from trusted sources
• Configured to receive software updates

A fuller description of the mobile device policy, including security guidance for common smartphones is available here: Mobile devices policy.pdf

Users are permitted to access University services, content and data on self-manned laptop and desktop computers which meet the following security requirements:

• Use a vendor-supported operating system
• Apply operating system and application updates automatically
• Use different accounts for different users
• Use passwords that are at least 12 characters long
• Install anti-virus software
• Use a modern web-browser
• Use only trusted USB devices
• Only install software from reputable sources
• Enable the device's personal firewall
• Lock after a period of inactivity
• Encrypted storage
• Back-up University data
• Disable Macros by default on all MS Office software
• Securely wipe prior to disposal or re-use

A fuller description of this policy, including security guidance for common operating systems can be found here: Self Managed Devices policy.pdf

Training

As well as reading the Information Security Policy, Faculty, Staff, Students and Visitors are asked to complete the online Information Security awareness module. The training module takes around 30 minutes to complete, and includes a lot of good practice.

All members of the School community are reminded that they can raise any questions or issues regarding Information Security and Data Protection by:

• Raising a support ticket by emailing ict@bsg.ox.ac.uk

• Phoning (01865 6)14394
• In person in office 2.14