Information Governance and Security Policy documents

All members of the university must act in accordance with the following laws and University policies. Please note that further policy documents will be added as these are drafted.

Information Security Policy documents

• Information Security Policy (Overarching) - ISP-01 (PDF, 175kB) (PDF) - this is the University's paramount policy on information access and security: it relates to both computer-based and paper-based information and defines the responsibilities of individuals with respect to information use and to the provision and use of information processing systems.
• Compliance Policy - ISP-03 (PDF, 221kB) (PDF) - this outlines the University’s requirement to comply with certain legal and regulatory frameworks. It is to be read in conjunction with the Guide to legislation relevant to Information Security Policy (see below) which provides details of the legislation relevant to information security e.g. the Data Protection Act.
• Outsourcing and Third Party Compliance Policy - ISP-04 (PDF, 135kB) (PDF) - this outlines the conditions that are required to maintain the security of the University's information and systems when third parties are involved in their operation.
• Human Resources - ISP-05 (PDF, 204kB) (PDF) - sets out the Human Resources processes that must be implemented to ensure that employees are able, trained and required to protect the University's information assets.
• Information Handling Policy - ISP-07 (PDF, 139kB) (PDF) - this sets out the requirements relating to the handling of the University’s information assets. Information assets must be managed in order to protect against the consequences of breaches of confidentiality, loss of integrity, interruption to availability, and non-compliance with legislation which would otherwise occur.
• User Management Policy - ISP-08 (PDF, 190kB) (PDF) - this sets out the requirements for the effective management of user accounts and access rights. This management is essential in order to ensure that access to the University’s information and information systems is restricted to authorised users.
• Acceptable Use Policy - ISP-09 (PDF, 170kB) (PDF) - these regulations apply to everyone using the University's computing facilities. In particular they apply to staff and students at the University, and to people outside the University who have been given permission to use the University's facilities.
• System Management Policy - ISP-11 (PDF, 125kB) (PDF) - sets out the responsibilities and required behaviour of those who manage computer systems on behalf of the University.
• Network Management Policy - ISP-12 (PDF, 119kB) (PDF) - sets out the responsibilities and required behaviour of those who manage communications networks on behalf of the University.
• Software Management - ISP-13 (PDF, 124kB) (PDF) - sets out the principles and expectations for the security aspects of managing software by IT staff and end users.
• Mobile and Remote Working policy - ISP-14 (PDF, 155kB) (PDF) - this sets out the additional principles, expectations and requirements relating to the use of mobile computing devices and other computing devices which are not located on University premises when these devices are used to access University information assets with a classification of confidential or above.
• Encryption Policy - ISP-16 (PDF, 120kB) (PDF) - sets out the principles and expectations of how and when information should be encrypted.
• Investigation of Computer Use Policy - ISP-18 (PDF, 132kB) (PDF) - the University reserves the right to monitor an individual's use of the computing facilities and access data held on such facilities, or e-mail and other electronic data entering, leaving or within, the University's network in specific circumstances as laid out in this policy.
• PCI-DSS Cardholder Data Policy - ISP-19 (PDF, 134kB) - This policy designed to ensure the University can meet the standards required by the Payment Card Industry’s Data Security Standard (PCI-DSS), which is a worldwide standard set up to help process card payments securely and reduce card fraud.

Information Governance Policies

• ‌IGP-01 Information Governance Policy - This Policy establishes the key high-level principles of Information Governance at the University of Bristol and sets out responsibilities and reporting lines for members of staff. It provides an over-arching framework for Information Governance across the University.

Implementation details

• Guide to legislation relevant to Information Security Policy (PDF, 206kB) (PDF)
• Guidelines for system and network administrators (PDF, 44kB) (PDF)

Further guidance

• Data Protection - the Act gives individuals rights over their personal data and protects them from the erroneous use of their personal data. The Act also requires anyone who handles personal data to comply with a number of important principles and legal obligations.
• Copyright - this website sets out the details of licences that allow staff to copy material for educational purposes and gives advice on aspects of copyright not covered under the various licensing schemes.
• Freedom of Information - the Freedom of Information Act was introduced in 2005 to promote transparency in public bodies and introduced a public "right to know".

Any use of the Internet from (or via) the University network is also subject to the following policies:

• JANET Acceptable Use Policy
• JANET Security Policy