Professional Documents
Culture Documents
A.13.0 Communication Security 2.1
A.13.0 Communication Security 2.1
A.13.0 Communication Security 2.1
Campus
Document Information
Version History
Change
Version Date Update by Approved By Date
description
Samantha
Barry Haynes
1.0 27/06/2016 Crossfield / Initial version 20/10/2016
(Chair of IGMG)
David Batty
Charles New ISMS Andy Pellow
2.0 1/03/2019 22/03/2019
Hindmarsh layout (Chair of IGMG)
Updated
Charles A.13.1.2 Andy Pellow
2.1 07/05/2019 25/09/2019
Hindmarsh A.13.2.1 (Chair of IGMG)
A.13.2.2
Contents
Introduction.............................................................................................. 4
Purpose .................................................................................................... 4
Applicability ............................................................................................. 4
A.13.0 Communication Security ............................................................ 4
A.13.1 Network Security Management .................................................. 4
A.13.1.1 Network Controls ...................................................................................... 4
A.13.1.2 Security of Network Nervices .................................................................... 4
A.13.1.3 Segregation in Networks ........................................................................... 5
A.13.2 InformationTransfer .................................................................... 5
A.13.2.1 Information Transfer Policies and Procedures .......................................... 6
A.13.2.1.1 Preparation for Transfer ..................................................................... 6
A.13.2.1.2 Data Processing ................................................................................. 6
A.13.2.1.3 Transfer Review ................................................................................. 6
A.13.2.1.4 Data Transfer Log .............................................................................. 7
A.13.2.2 Agreements on Information Transfer ........................................................ 7
A.13.2.3 Electronic Messaging................................................................................ 8
A.13.2.4 Confidentiality, Non-Disclosure and/or Data Sharing Agreements (DSA) . 8
Introduction
The Integrated Research Campus (IRC) is a University of Leeds IT service. It
provides secure technical infrastructure and services for research data handling,
analytics, application processing and development.
Purpose
This document sets out the network and communication security requirements within
the scope of the IRC Information Security Management System (ISMS).
Applicability
Policies for Transferring Data, Electronic Messaging and Data Sharing (DSA) or
Data Processing Agreements (DPA) apply to everyone. Policies for network security
apply to all those who are authorised to change and develop the services in IT.
3. The IRC firewall sits within the UoL campus network and is not be exposed to
the same external risks as an internet facing firewall.
4. All IRC network traffic to and from the internet is secured using encryption
(A.10.1.2.1 and A.10.1.2.2)
5. Unusual activity that is detected by the central logging service will be recorded
and investigated by the IT Assurance team.
The policy applies to all IRC users and IT staff involved in the transfer of data. The
DST performs transfers according to policy.
1. All received data are virus-scanned within the IRC gateway zone
2. Data files are checked manually or automatically for disclosure upon entry
and prior to internal transfer or exit
3. Transfer review (A.13.2.1.3) is based on DSAs/DPAs and other legal and
ethical requirements
Prior to transferring personal data, the DST review the consent or other ethico-legal
framework to ensure it covers the proposed transfer. Alternatively, data may be de-
identified or obfuscated at source. Where the data is held on the IRC infrastructure,
this may be conducted by the IRC Data Services Team (with the appropriate ethical
and governance approval).
IRC users may develop derived datasets from personal data held on IRC
infrastructure.
1. The user prepares the derived dataset (they may request support from the
IRC Data Services Team)
2. The user submits a data transfer request to the Data Services Team and
places the derived data in a specified file
3. The Data Services Team review the derived extract using the ICO
Anonymisation Code of Practice and apply UKDS-accredited statistical
disclosure controls to ensure it is de-identified and classed as IRC Public
4. The Data Services Team release the dataset via the gateway zone
All agreements will be kept on the IRC Data Sharing /Licence Agreement register.
If an agreement expires the data must be deleted in accordance with the terms of the
agreement, unless there is clear evidence that the 3rd party are aware of the situation
and that a new agreement is actively been pursued.