7COM1066 Information Security Management and Compliance

Purpose

Data management and handling policy in University of Hertfordshire is the statement, which sets out the process of the organization that the university uses for protecting their confidential and sensitive data. The key purpose of the information handling policy of University of Hertfordshire is to set out the data protection, which must be applied to various types of information, which are managed within the organization. Applying the set of the principles through the University of Hertfordshire that will means that the data will be processed in the secure way by reducing the impact as well as preventing the security breaches in the university (Shaikh, Adi and Logrippo 2017). The data of the university contained in the organizational policy will be summarized in this report. Compliance with the data handling policy is very beneficial for Hertfordshire university in meeting the need of GDPR, reducing the overall time for IT Governance and will also help in preventing the information breaches.

The policy of Hertfordshire university will outline the requirements and expectations for management and governance of the information and will enable the university in:

• Improving the accuracy and integration of the information
• Improving the compliance as well as minimizing the risks related to the misuse of information and loss (Moody, Siponen and Pahnila, 2018)
• Increasing the effect of the research
• Obtaining the valuable knowledge through increased accessibility and discovery of their information
• Providing the strong foundation for managing the information assets

Scope

The scope of this information handling policy will include the management and governance of the unstructured and structured information of University of Hertfordshire, which will be collected as well as managed by the university for performing the business functions as well as delivering their services to the clients effectively (Ormond, Warkentin and Crossler 2019). This information classification and handling policy of Hertfordshire university will be applied to the clients of their information and communication resources. Anyone in the Hertfordshire university can create or access the information assets of the university. For example, students, visitors, contractors, third parties, consultants, staffs and affiliates can access the sensitive and confidential information. The clients, who are connected to the network, services and system of the university should comply with the policy. Device ownership and irrespective of location should be approved by the CIO of the Hertfordshire university.

Responsibilities

Responsibility to apply the correct classification lies with the owner of the information, where the management of information becomes the responsibility of the users of the Hertfordshire university. All he information domain for example, research management, human resource, learning and training should have the selected Information Domain Custodian and Information roles, which can be related to the hierarchy of the university and their operations and the functions will be responsible in managing the data of the domain of the university (Burney 2019). The responsibilities and the other information management roles should be defined properly in the policy so that the people can get the proper idea about their roles, accountability and responsibilities.

Categories of Information

The information of Hertfordshire university must be classified into any of the four types of levels such as:

1. Restricted: Restricted data will be included the data, which can be accessed without any authorization or compromised and can lead to the massive legal fines or criminal charges or this can cause irreparable damage to the university (Agrawal 2017). For instance, the restricted data in the Hertfordshire university can include information related to data, research or their university infrastructure.
2. Public: Public data can be accessible freely to all the users of the university. This can be used, reused as well as redistributed freely without any repercussions. The example can be the last name and first name, press release or role in the Hertfordshire university.
3. Internal Use: Internal data can be accessible strictly to the internal staffs and internal personal of the university who can have the grant to access the data (Wong et al. 2019). It can include the internal memos or other type of communication, functions or business plans of the university.
4. Confidential: Access to the sensitive and confidential data needs particular clearance or authorization. Various types of the confidential data can include M&A documents, identity card, module number, student details. The confidential information in Hertfordshire university can be protected by the act like GDPR and standard like ISO27000.

Applying the classification

Information in the Hertfordshire university can be classified as per the impact on Hertfordshire university in confidentiality, availability and integrity, which will be considered as the setting in the Assurance policy and Information governance.

• Confidentiality: Confidentiality in Hertfordshire university will protect the sensitive information from misuse or any unauthorized access. Most of the information in the university will have value and the systems can be under frequent attacks.
• Availability:For the information system in Hertfordshire university for being useful, this should be available to all the authorized users of the university. Availability in the information system will protect the uninterrupted and timely access to their systems (Aminzade 2018). Responsiveness and availability of the information system in the university should be the high priority for their operations.
• Integrity: Integrity in the information system of Hertfordshire university will protect the information of the university of any unauthorized modification or alternation (Joshi
• and Singh 2017). This will also provide the assurance in completeness and accuracy of the information. The requirement to protect the data will include the information, which is stored and the information, which will be transmitted.

Management or Handling of Data

Data can be handled in some ways such as data storage, data transfer, document marketing, data access and disposal. While storing the data, the public data can be stored in any device of the university. The restricted da can be stored within the system that is sanctioned or provided by Hertfordshire university. The internal data will also be stored in the sanctioned system of the university (Chua et al. 2017). For the public data, the data is accessed with no restriction. For the internal data, the data can be access with proper control and authorized access. For the restricted data, the data can be accessed in the controlled manner as described in User Management Policy. For the confidential data, the data access should be done in the strictly controlled way. For the public or user data in the university, the data transfer can be done freely without any restriction. For internal data, data sharing can be done through SharePoint or email with proper control on the access. Data sharing for restricted data can be done with proper and secure sharing method on which appropriate control will be there. In confidential data, data transfer can be done within their system and should not be shared with others and encryption method must be used for sharing the data. In documents making for internal data can be used for only internal purpose. In case of restricted data, “Restricted” should be written on the documents and same will be done with confidential data, where “Confidential” should be written in place of Restricted.

Protection of Data

For protecting the data of the Hertfordshire university, the university should use the General Data Protection Regulation. This data protection act can be applied to the university and this will help in managing the sensitive and confidential data of the university. Because of the GDRP data protection act, the data of the university will become very consolidated and will also ensure that the data has become easier to access and use and the users of the university have the great understanding about the underlying value (Voigt and Von dem Bussche 2017). The insight will allow the users of the university to learn more about the users and they will also become able in identifying the area, where the needs of the users are not meet.

IT Governance

As the IT governance in the University of Hertfordshire, ISO27000 standard can be used for handling and protecting the data of the university. Compliance with ISO27000 standard will provide the university with the credential that will demonstrate that the university will be in compliance with the need of this standard (Accerboni and Sartor 2019). This standard will give the staffs and students of the university more assurance that the data is much safe in the university. With this standard, the university will be encouraged for familiarizing themselves with suggestions, which will help the Hertfordshire university in handling as well as managing the security of the confidential and sensitive data of the users.

References

Accerboni, F. and Sartor, M., 2019. ISO/IEC 27001. In Quality Management: Tools, Methods, and Standards. Emerald Publishing Limited.

Agrawal, V., 2017, June. A framework for the information classification in ISO 27005 standard. In 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud) (pp. 264-269). IEEE.

Aminzade, M., 2018. Confidentiality, integrity and availability–finding a balanced IT framework. Network Security, 2018(5), pp.9-11.

Burney, C., 2019. Roles and responsibilities of the information systems security officer. In Information Security Management (pp. 405-414). Auerbach Publications.

Chua, H.N., Herbland, A., Wong, S.F. and Chang, Y., 2017. Compliance to personal data protection principles: A study of how organizations frame privacy policy notices. Telematics and Informatics, 34(4), pp.157-170.

Joshi, C. and Singh, U.K., 2017. Information security risks management framework–A step towards mitigating security risks in university network. Journal of Information Security and Applications, 35, pp.128-137.

Moody, G.D., Siponen, M. and Pahnila, S., 2018. Toward a unified model of information security policy compliance. MIS quarterly, 42(1).

Ormond, D., Warkentin, M. and Crossler, R.E., 2019. Integrating cognition with an affective lens to better understand information security policy compliance. Journal of the Association for Information Systems, 20(12), p.4.

Shaikh, R.A., Adi, K. and Logrippo, L., 2017. A data classification method for inconsistency and incompleteness detection in access control policy sets. International Journal of Information Security, 16(1), pp.91-113.

Voigt, P. and Von dem Bussche, A., 2017. The eu general data protection regulation (gdpr). A Practical Guide, 1st Ed., Cham: Springer International Publishing, 10, p.3152676.

Wong, W.P., Tan, H.C., Tan, K.H. and Tseng, M.L., 2019. Human factors in information leakage: mitigation strategies for information sharing integrity. Industrial Management & Data Systems.

Are you stuck with an overly convoluted assignment based on a particular subject matter? Are you looking for a dedicated team of subject matter experts to help you through the hurdle? Take a look here. MyAssignmenthelp.co.uk is right here to back you up with the following services and beyond. 

• Finance assignment help
• Law assignment help
• Accounting assignment help
• Management assignment help
• Biotechnology assignment help 
• Engineering assignment help and more 

So, get in touch with us right away, place your order and have the best SME by your side to provide you with impeccable assignment help online.