Information Security Policy

As University members, we are all responsible for making sure University information is kept securely and used appropriately.

The University's Information Security policy (ISP-01) and its supporting policies provide a framework to help make sure that the data held and processed by the University is managed with the appropriate standards to keep it safe. 

The policies comply with legal requirements including the Data Protection Act and the General Data Protection Regulation (GDPR).

The aims of the Information Security policies are:

  • to raise awareness
  • to avoid the disclosure of data
  • to avoid breaking the law
  • to avoid causing the University financial and reputational damage.

We all have a requirement to work within the guidelines of the Information Security policies.

Required reading

All University members should be familiar with the University's Information Security policy (ISP-01) and the key principles of the Information Security policies. 

We should all:

  • Make sure that only those who need access to data have that access.
  • Avoid storing information where it can be accidentally exposed or lost, for example on unencrypted storage devices or on a desk in an office (even if the office is locked).
  • Make sure that if data must be sent, shared or transported, we send it securely using encrypted devices or channels.

List of policies

Policies review schedule

October 2025 December 2025 May 2026 September 2025
Information Security Policy (Overarching) ISP-01 Compliance ISP-03 Acceptable Use ISP-09 Outsourcing and Third Party Compliance ISP-04
  Human Resources ISP-05 System Management ISP-11 Information Handling ISP-07
  User Management ISP-08 Mobile and Remote Working ISP-14 Network Management ISP-12
  Encryption ISP-16 PCI-DSS ISP-19 Software Management ISP-13
      Investigation of Computer Use ISP-18