Recommended reading

Details of the Information Security governance framework, including Information Security Policy, Information Security Standards and Computing Acceptable Use Policy.

The Computing Acceptable Use Policy

This Acceptable Use Policy governs the use of University computing and network facilities by authorised users. This includes staff, students and visitors.  

They apply to all services operated by, or on behalf of the University. They also include the use of personally owned devices, remote networks and services.

Private use is permitted too, but don't overdo it

The Acceptable Use Policy recognises that, though computing facilities are for work related activity, private use is permitted. This is so long as it does not impact staff employment responsibilities or student education (and of course, does not break the Law).

The Acceptable Use Policy forbids any use that is illegal or brings the University into disrepute.  This includes excessive 'private use'.  Breach of the Acceptable Use Policy is a disciplinary offence.

The Information Security Policy

The information security policy details how everyone is responsible for protecting University information. It states how we ensure that the confidentiality, integrity and availability is maintained.  It covers the need to take account of: physical security, business continuity and technical requirements.

The policy is presented as a PDF document. Other formats can be produced upon request.

Information Security Standards

The Information Security Standards add more detail to the Information Security Policy, focussing on specific areas with each document. The list of current standards is:

  • S.0 - Purpose of Standards - An overview of the purpose of the Standards and how to use them.
  • S.1 - Information Classification - This document outlines classification levels data may take within the University, and what controls should be considered as part of protecting and handling data at each level. 
  • S.2 - Data Protection - This provides direction to various Data Protection governance documents.
  • S.3 - Data Steward - This document describes the "Data Steward" role in the University. 
  • S.4 - Access Management - This document defines requirements for identity and access management as well as authentication, but does not cover physical access management. 
  • S.5 - Operational Security - This Standard contains the requirements for operational security within the University, assisting in reducing risk by establishing operational security practices. ​​​
  • S.6 - Asset Management - This Standard contains the requirements for asset management within the University, requiring that assets are defined, secured and handled. 
  • S.7 - Secure Configuration - This standard contains the requirements for secure configuration of University applications and the systems they reside on. 
  • S.8 - Security Assessment and Testing - This Standard defines the minimum security assessment, testing and remediation requirements for University information assets and technology, including assessment and testing to identify and manage vulnerabilities and risks. 
  • S.9 - Physical Security - This document defines requirements to prevent unauthorised physical access, damage, interference and loss of physical assets, information and information processing facilities. 
  • S.10 - Incident Management - This Standard specifies the measures that the University requires before, during and after an incident occurs.
  • S.11 - Third Party - When contracting a third-party vendor or service provider, this document ensures appropriate controls and requirements are implemented to help avoid information security issues that could adversely impact the University’s information assets, technology or reputation. 
  • S.12 - Cloud Security - This standard contains the requirements for use of cloud services by the University of Edinburgh.  
  • S.13 - University Provided Portable Device - This document specifies the University of Edinburgh’s minimum mandatory requirements for the use of University issued mobile devices and removable media devices. 
  • S.14 - Bring Your Own Device (BYOD) - This standard contains requirements for the security of unsupported and personal devices used to access University systems, services or data, also known as BYOD devices. 

The standards can be found on the Information Security Sharepoint site. Please note that direct links to individual standards should be avoided, and links to the current page (https://infosec.ed.ac.uk/information-protection-policies/information-security-required-reading) should be used instead. 

Further reading

The Information Security Strategy document outlines the current security landscape and plans to address it.