security policy which is carried out by University of Hertfordshire is
relatively well organized in the different sectors of university. University’s
main security policy is depended on the main security principles related to
availability of information, integrity of the information, confidentiality and
compliance of the information. The security policy also related to the
responsibility of the members of university and risk management.
For the university’s
information security strategy the information security policy is a key
component which is depend on the framework of information security management
standards. And for a high level of information security management within the
university there need a very good information security policy .
Those principals are
implemented to some specific areas like- for business continuity, compliance
and also for third party access.
business continuity is depend on the risk analysis and the appropriate member
of staffs can handle this risk buy reviewing it regularly. The legal and
contractual issues like data protection, copy right, intellectual properties
etc., also has detail policy and university of Hertfordshire is committed to
data protection act. For the data protection the university’s solicitor and
director of legal service acts as the data protection office.
The members of
university and the third part like external supplier who is related to
university also need to abide by information security policy. And when
membership will expire or change then access to information will be also
Hertfordshire is maintaining most of the security measurement for any kind of
operational procedures. Where needed the physical and access control is
necessary for the critical and sensitive information. For the security purposes
areas and responsibility also need to be segregated for reducing the risk which
will damage the information security system of the university. From migrating to one operational system to
another suitable testing system is need to be implemented and parallel running
only available when only all the security measures available in place.
All the information
assets are classified according to information sensitivity which is agreed by
the university. And this information is keeping by university record policy.
All the sensitive data or licensed software
also need to delete when it will move off site. For the information
handling in the university also maintain the backup policy where all the
information are keeping for recovery purposes. And where only authorized access
are available. If any information send to third party then receipt is recorded.
All the university
members have unique ID number and password to access require information
system. Any kind of access in the system authorized by the data steward.
All the equipment need
to appropriately safeguarded. Any kind of attachment with mail need proper care
for malicious code. Any software without proper license is not permitted to load
university’s computer or server.
For the system planning
university is also following proper policy. For the upgrading the system it
shall be tested properly that it maintain the university’s existent policy.
University’s system and
network shall be managed by trained and qualified staffs. Network must be
monitored for malicious or physical attack and unauthorized intrusion.
software also maintained by trained and qualified staffs.
policy and GDPR
policy about business community still is ongoing process. It needs to be
clearly identify . if we check the GDPR section 5.2 then we will see that
appropriate technical and organizational framework need to describe. For
example, regular testing, accessing and evaluating the effectiveness security
process regarding business community is very important.
the university policy it is not clearly stated. This policy is integrated
with data protection act. And need more concrete information.
and third party access
need to be identify and make a definition of third party for the university.
Though the activity of outsourcing is stated properly. But still there have
more rooms to improve the policy.
no clear identification of data which will be available for the members of
university. But these data is essential for the information policy
of duty(SoD) is a risk and security measure. For the SoD same function or a
critical process can’t do by two parties. It also limit the access to
information which will reduce the risk of security. But in the university
policy it’s not clearly indicated. But for the GDPR it must needed for
minimizing the institutional risk.
assessment, management need to clearly describe in the university policy.
of processing data
need adequate, relevant and clear purpose when data will be processed. And
university need some accurate and proper policy to describe who will be
responsible for unlawful processing the data.
categorize of data
the data processing there have lot of rules and regulations which have
identified by the university. But there have no specific mention about the
data which will consider as explicit data. Which kind of obligation or
security measures will be taken this also need to be identified.
to use the software or what need to do before implementing in the system it is
identified clearly in the policy. But what will happen if any malicious
software were found or identified and what will be the first line of defence
it’s not identified.
the mobile computing there have certain guidelines. But still there have a
lot of space to give a clear idea. For example, for secure access in the
university’s exam time table or other secure section sometime it is not
possible to use some software for VPN setup but this issue is not identify
properly in the policy. So there need more adequate information about mobile
information security policy is relatively well organized. But few improvement
in above discussed areas will be beneficial for developing a more secure
system. And beside this recommendation
if proper monitoring and reporting system include and modify in the policy then
it will also support university’s other system e.g., different policy or
incidence response system.