Understanding Information Security

What is information security?

Information security refers to the steps that we can take to:

  • Ensure good data management.
  • Protect information against damage, loss and theft.
  • Protect the ICT equipment and systems used to collect, store and process that information.

Why is information security important?

Certain types of information are legally protected under the Data Protection Act (e.g. staff, student and medical records). Other types of information may be protected by a contractual agreement (e.g. financial or commercially sensitive data provided by a private sector company).

A failure to safeguard other people’s personal information may cause them serious distress. In some cases, those people may become victims of crime. Negative publicity and regulatory action by the Information Commissioner’s Office may also cause significant damage to the reputation of the University.

A failure to safeguard information that is protected by a contractual agreement may result in the University being refused access to important research funding and research data. Such an event may impact the University's ability to carry out research.

What are the threats?

The types of threat that may result in the damage, loss and theft of protected information include:

  • Loss and theft of portable computing devices (e.g. laptops, tablet computers and smart phones) and portable storage devices (e.g. USB flash drives and external hard disk drives).
  • The accidental publishing of confidential information on the Internet (e.g. social media, blogs and messaging boards).
  • The sending of a confidential email to the wrong recipient.
  • Large volumes of confidential printed information kept on desks.
  • Confidential documents left on photocopiers and fax machines.
  • Unlocked filing cabinets.
  • Incorrect disposal of confidential information (e.g. failure to shred confidential paper waste, failure to securely erase computer data).
  • Non-secure cloud computing (e.g. cloud service may be located in a country with no data protection laws).
  • Scam emails sent by criminals in an attempt to obtain important personal information.
  • Viruses and malicious software.
  • Computer hackers.

Personal information is valued by criminals who will steal it for fraudulent purposes. In 2010 the National Fraud Authority revealed that £1.9bn was fraudulently obtained in the UK through the theft of 1.8 million identities, averaging over £1000 for each victim.

PricewaterhouseCoopers revealed in their 2008 Information Security Breaches Survey that the loss and theft of portable computing devices and portable storage devices is a major cause of information security breaches in the work place.

What steps can we take to protect information?

The ISS Information Security Team has produced new guidance to help you protect information. This guidance can be accessed from the Information Security Home Page