Professional Documents
Culture Documents
Information Security Management System: Integrated Research Campus
Information Security Management System: Integrated Research Campus
Campus
Document Information
Version History
Change
Version Date Update by Sign off Date
description
Samantha
Barry Haynes
1.0 27/06/2016 Crossfield / Initial version 20/10/2016
(Chair of IGMG)
David Batty
Charles New format of Andy Pellow
2.0 28/02/2019 22/03/2019
Hindmarsh ISMS (Chair of IGMG)
Updated 1.2,
1.4, 4.1-4.4,
Charles Andy Pellow
2.1 21/09/2019 5.2, 6.2, 7.3, 24/09/2019
Hindmarsh (Chair of IGMG)
7.4, 8.1, 8.2.2,
10.2,
Contents
0.1 Introduction
Purpose
The Integrated Research Campus (IRC) is a University of Leeds (UoL) IT provision.
The IRC provides secure technical infrastructure and services for research data
handling, analytics, application processing and development. This document
contains the mandatory clauses for the IRC Information Security Management
System (ISMS) and define the goals, context and scope of the IRC ISMS as well as
the ISMS objectives and requirements for information security.
Applicability
The ISMS applies to all users and providers of IRC services and infrastructure. All
users must comply with the ISMS policies. The essential requirements are released
through frequently used documents such as the IRC user agreement, the Research
Portal (Intranet), work instructions, project proposals, data management plans and
risk assessments. This document will be used by those staff who are responsible for
maintaining, reviewing and improving the ISMS.
An aim for the ISMS is recertification to ISO / IEC 27001:2013 and the NHS Data
Security Protection Toolkit. The certifications serve to externally validate that IS best
practice has been adopted. Previously Version 14 of the NHS IG Toolkit was
reviewed by NHS Digital (21 March 2017). Accredited certification to ISO
27001:2013 was attained on 15 May 2017 (Certification number 15331-ISN-001).
1.0 Scope
The ISMS scope encapsulates the space that meets the organisation’s needs for
secure data handling. This corresponds to the reach of the IRC secure research
environment and the services conducted therein, regardless of location, provider or
user. The IRC’s Statement of Applicability details the controls that have been
selected to treat identified risks, and provides a justification for the inclusion of each
of the 114 controls listed in Annex A of the ISO 27001:2013 Standard. Figure 1.0.1
summarises the scope and the governance structure that the IRC resides in.
The ISMS objectives apply to all in-scope elements. There is mandatory compliance
with the ISMS within this scope. Exceptions must be handled as set out in 10.1 Non
Conformity and Corrective Actions.
Figure 1.0.1 shows the ISMS scope and how it fits within the University and wider
legislation and standards. The ISMS scope is defined by the blue dashed line.
1.1 Zones
IRC zones are numbered 1-5 in Figure 1.0.1 :
1. Gateway – the gateway zone between the other IRC zones and the external
environment. Data passes through here in order to move between zones or to
enter or leave the IRC.
2. Data Services – core data services are provided from this zone to users,
including access, provisioning, management and support services.
3. Safe Rooms - secure and managed rooms providing monitored access to data.
4. Virtual Research Environment (VRE) – firewalled virtual machines that are set
up for users with appropriate software, applications and data access. VREs are
remotely accessed.
5. IRC Data Storage – the zone in which research data is securely stored.
1.2 Infrastructure
1.2.1 Infrastructure in scope in Figure 1.0.1 :
1. Infrastructure in the Gateway (Zone 1) includes:
a. Interfaces, such as a secure web server for uploading data.
b. External facilities used in providing secure data services where they are
brought in scope by either :
i. Formal agreement or
ii. ‘Take-over’ of facilities as set out in A.11.2.6 security of offsite
equipment policy.
2. Infrastructure in the Data Services (Zone 2).
3. Infrastructure in the Safe Rooms (Zone 3), including thin client computers.
4. Infrastructure in the VRE (Zone 4), including the software and applications in
each virtual machine.
5. Infrastructure in the Data Storage Zone, used to deliver storage services
6. Networking / Telephony Systems supporting Zones 1 to 5.
The above zones will be referred to in all ISMS documentation as the “IRC
infrastructure”.
1.3 People
1.3.1 People in scope:
1. Members of the DST (based in Zone 2).
2. Users such as researchers, clinicians and analysts while they are using a) the
IRC infrastructure or b) an application that calls upon the IRC infrastructure. A
user agreement must define the elements of the ISMS that pertain to the user.
3. IT and support staff and contractors working on the IRC infrastructure. Contracts,
service and operating level agreements must accord with the ISMS.
4. Suppliers and data providers who enter a contractual agreement with the IRC.
1.4 Services
1.4.1 Services in scope:
Services delivered on IRC infrastructure can be summarised as data capture,
process, access and storage services, including:
1. Checking and loading of data to / from the secure file transfer system, and
ensuring the transfer complies with any Data Sharing (DSA) or Data
Processing Agreements (DPA) and or Data Management Plans.
2. Development and destruction of virtual machines and access rights.
3. Data transformation, linkage and management.
4. Auditing of the use of IRC infrastructure.
5. Servers and PCs that reside on the IRC infrastructure.
6. Data held in storage or in suspension within the IRC.
Projects usually involve movement of data in and out of scope of the ISMS and
transfer must be handled according to the Information Transfer policy (A13.2).
LIDA and other areas within the University draws together research groups and data
scientists with external partners to undertake data-intensive research within the IRC.
The nature and sensitivity of the data that is processed within the IRC means that
the security systems and policies and data processing actives must be secure and
robust.
Details of the IRC’s communication with interested parties can be found in Clause
7.4.
The IRC systems, services and operations (See Figure 1.0.1) are designed to
prevent and minimise security incidents to avoid unauthorised disclosure that could
lead to commercial, personal or reputational damage. These include:
1. Data capture, review and release (gateway) services that are operated by the
DST.
2. Data storage facilities that are segregated from other University campus IT
systems. See Access to Networks and Network Services (A.9.1.2).
3. Data processing servers and services including data cleansing, transformation,
linkage, de-identification, backup and destruction.
4. Multi Factor Authenticated access to data in a VRE that is regulated and
monitored.
5. Secure File Transfer systems that are controlled by the DST.
There are a number of relevant internal and external issues, which may impact on
the IRC’s ability to meet the objectives of the ISMS. These include:
Internal External
Physical Security: Protection against theft Physical Security: Protection against
from within the UoL. theft from outside the UoL.
Culture: A commitment to information Client/Customer Requirements:
security amongst staff and researchers Protection of their information as
specified within the Data Sharing
Agreements.
Staff: Retention of key, competent Legislative or Regulatory Change:
employees to fulfil ISMS responsibilities Ability to adapt and react swiftly to
change and adopt new standards and
guidelines
Acceptable Use: Adherence by staff and Environmental Risks: Protection
researchers to the terms of the IRC against fire, flood, or other disasters
agreement which could affect business continuity
Organisation Structure: Ability to adapt Interruption to
and react swiftly to change and adopt new Utilities/Communications:
standards and guidelines Contingency in the event of power or
telecoms failure
Risk Management: Ability to manage risk Risk Management: Ability to manage
to an acceptable level, taking into account risk to an acceptable level, taking into
cost and the expectations of interested account cost and the expectations of
parties clients and authorities
documents makes up the ISMS that are named in Policies for Information Security
(A.5.1.1).
The ISMS is regularly audited and all findings, risks, incidents and vulnerabilities are
recorded along with recommended improvement plans for oversight by the IGMG.
5.0 Leadership
The UoL representatives bring the expertise to ensure that IGMG leads in
accordance with industry standards, legal requirements and UoL objectives. See 5.3
for Organisational Roles, Responsibilities and Authorities.
5.2 Policy
IGMG ensures the policies are relevant to the IRC, the University and that they
comply with the requirements of our data providers and interested parties.
The policy objectives (See Table 6.2.1: IS Objectives) of the ISMS are as follows:
7. The ISMS complies with the ISO 27001:2013 and the NHS Data
Protection and Security Toolkit and is regularly reviewed and continually
improved.
IRC Information
Governance Responsibility for the development and implementation of
policies regarding IS among staff and infrastructure, including
Manager monitoring, assessment and training
The IGM guides the IGMG in reviewing the ISMS to ensure the ongoing protection of
information assets, technologies and data privacy.
6.0 Planning
A project and project risk assessment work instruction defines the procedures for
identifying and classifying information risk for projects that propose to use IRC
resources. The mandatory clauses and supporting controls set the criteria against
which risk is considered and the risk acceptance level (Clause 8.2). The ISMS
contains a standardised approach for selecting appropriate controls for risk
management that also include when and how the assessments are performed and
reviewed. The ISMS does not cover non-technical or health and safety risk
assessment processes, which are set at UoL faculty level.
The IGMG reviews these objectives at least annually to ensure they remain current
and valid.
To measure these objectives, Key Performance Indicators (KPI) with targets have
been created and are reviewed at least annually by the IGMG. The Information
Governance Manager will ensure that the data is captured and made available at
quarterly IGMG meetings.
7.0 Support
7.1 Resources
Refer to the Information Security Roles policy (A6.1.1) to view the resources
available for delivering the ISMS.
7.2 Competence
The minimum level of IS-related competence required for the specific roles listed
above is shown in Table 7.2.1.
7.3 Awareness
For the ISMS to be effective the ISMS and good IS practices must be communicated
and understood by all those to whom it is relevant. Where documents apply to all
IRC users these are:
7.4 Communication
This policy defines the controls for formal communications regarding IS that relates
to elements within the scope of the IRC ISMS. The purpose is to ensure that relevant
issues of IS, (in particular new policies or significant changes) are communicated to
relevant individuals with clarity and consistency to ensure that people have the
necessary capacity to carry out their responsibilities for IS.
7.4.5 Audience
The audience will influence the channel to be chosen. Consider the following:
7.5.1 General
Documents must be developed, maintained and archived in the ISMS folders and
standardised, as set out in the clause on Document Format (7.5.2)
8.0 Operation
Control is maintained through the use of work instructions that provides operational
standards for the DST to action.
Data confidentiality, integrity and availability are the criteria against which risk is
evaluated. The IRC must manage risk so as to remain compliant with relevant
legislation and provide assurance that risks related to personal information are
managed according to internal and external standards. The assessment process and
justification for the application of risk controls will be captured in a risk log and
retained for scrutiny. Separate data protection risk assessments are carried out for
each project. Refer to the Information Security in Project Management Policy
(A.6.1.5). ISMS risks are calculated by the equation Risk = Likelihood x Impact:
A Separate risk assessment process is carried out for each research project based
upon its data handling requirements and following the Project_Risk_Assessment
work instruction. The assessment will influence the controls that are needed to de-
identify personal data and any conditions set by a data sharing contract. Refer to the
Information Security During Project Management Policy (A.6.1.5).
8.3.1 Applicability
The Information Security Risk Treatment policy apply to users who treat IS and
governance risk within the scope of the IRC ISMS. They are also for use by the
IGMG, the IG Manager and the Data Protection Officer who oversee and prioritise
risk treatment plans and own residual risk.
While it is improbable that all risk are eliminated, the IGMG will ensure that the most
appropriate controls are employed to reduce risk to an acceptable level using the
least-cost approach, with minimal adverse impact to the IRC. The IGMG are
authorised to choose to “Accept a risk” if appropriate.
The situation will determine which risk treatment options are appropriate – none are
mutually exclusive. The IGMG approves the appropriate option for each risk and the
prioritisation of treatments, based on the risks that have been assessed to pose
greatest risk to IRC objectives. Any vendor security products and administrative
measures to be utilised are also selected based on compatibility with IRC objectives.
Results from internal and external audit findings and reports and actions
identified in the non-conformance log.
Measurements taken to prove the ISMS objectives are being met.
Feedback from researchers, staff and 3rd parties.
Issues reported in the Incident Log.
Reports from Vulnerability & Penetration Logs.
Risk Log.
Changes in legislation.
The evaluation process shall document any decisions and actions relating to:
The IGMG meets quarterly to review the measurement data, internal and external
audit findings and prioritise improvement.
Minimum attendance at each meeting is: the Chair or Deputy Chair, DPO, IRC IGM,
DST Manager, a representative from a partner or key service user, the UoL Ethics
Boards and IT Service Management (or substitutes). Attendance from further IRC
core users, data sources and UoL IT Security Group, Information Governance Group
and Legal Affairs Team are encouraged but optional depending on the agenda.
Reviews consider changes to external standards, industrial best practice and the
needs of service users.
All members are invited before each meeting to submit agenda items and supporting
papers. The agenda and previous minutes are circulated ahead of each meeting.
The outputs of the management review shall include decisions related to continual
improvement opportunities and any needs for changes to the ISMS. The
organisation shall retain documented information as evidence of the results of
management reviews.
9.3.2 Applicability
IGMG can request to review any clause or control that is in scope of the ISMS.
10.0 Improvement
10.1.1 Reporting
If a non-conformity is identified, by whatever method (e.g. risk assessment, audit, or
post-implementation review), the user must report the issue through the Reporting of
Security Weaknesses policy (A.16.1.3). If a breach of IS was discovered then refer to
the Reporting Information Security Events policy (A.16.1.2).
10.1.2 Recording
If a non-conformity is identified during an internal or external ISO27001 audit, the
issue should be recorded in the ISMS Non Conformities Log and reviewed for action.
Following a corrective action, the non-conformities log must be updated with the root
cause, the corrective action taken and the date of closure.