What is Information?

At the University information is all around us. The majority of colleagues around the University rely on information and the systems that process information to undertake their daily activities whether this is teaching, research or operationally.

Information can be stored in a range of different formats from paper to electronic. As information supports the key aspects of what we do as a University it has huge value and is therefore an organisational asset just like our people and the tangible things that we can see and touch.

Information Graphic

Information assets therefore need to be protected so that we can continue to obtain value from them. Take a moment to think about how information affects you in your role; what would a typical day look like if the information wasn’t available as expected? In addition to the things that specifically relate to your role did you think about all of the critical systems that seem ancillary such as timetabling, door access, audio visual equipment, payroll systems, printing, building management systems, student records, library catalogues or canvas?

Some types of information are particularly sensitive for a whole range of reasons such as any information which identifies an individual (such as students, staff or research participants), intellectual property (such as a new design or invention) or information that helps protect the health and safety of our environment. In addition to protecting the value of the information to the University, for certain classes of information there are regulatory (i.e. legal) requirements on how we protect information and there may also be contractual requirements (for example from a research partner or supplier).

Information Security is the approach taken to ensure that valuable information assets are appropriately protected. The purpose of information security is to ensure that information is protected appropriately in accordance with the levels identified as necessary by the University, it is not intended as a barrier to prevent things from happening but rather to find a safe way to meet the needs of the University.

The three key properties of information that we need to protect are ConfidentialityIntegrity and Availability although there are others! These are sometimes referred to as the CIA triad. Browse through the sections below to learn more about each of these properties…

Image CIA
Image Lifecycle

To ensure that information retains its value to the University we have to consider the key areas identified above throughout the entire information lifecycle irrespective of the format in which it exists. This includes when we acquire, store, process, transmit, share, archive and dispose of information. Any of the CIA properties can be affected either maliciously or accidentally, and by an authorised or an unauthorised party whether internal or external to the organisation.

What is Cyber Security?

While Information Security covers information in any format, Cyber Security is the general term that deals specifically with electronic information and networks. At the University we use the terms Information Security and Cyber Security interchangeably or in combination as Cyber and Information Security to refer to all aspects of data and information security whatever the format or threats.

How do we protect information?

Information assets are protected by controls. Controls can be defined at any level within an organisation however there is usually a hierarchy of controls to ensure that needs of the entire organisation are met. Control types are usually grouped into peopleprocess or technology controls. Expand the sections below to find out more about each control group category….

 

PPT Image

These are sometimes called the three pillars of information security and the various controls work in combination. Controls can be designed with the intent to prevent, detect, respond, recover or any combination of these.

The overall approach taken to cyber and information security within an organisation, including the controls in place, form what is typically referred to as an Information Security Management System (ISMS). Controls work in combination to provide the required level of protection. How is the ‘required level’ defined? Quite simply this depends on the information in question, the volume, the value, any regulatory or contractual requirements, and the threats to that information (amongst other factors). These are determined by undertaking an information risk assessment for each asset. The senior leadership team within the organisation define the level of risk that the organisation is prepared to accept and this is called the risk tolerance level.