Information security is the collection of technologies, standards, policies and management practices that are applied to information to keep it secure.
In today's high technology environment, organisations are becoming more and more dependent on their information systems. The public is increasingly concerned about the proper use of information, particularly personal data. The threats to information systems from criminals and terrorists are increasing. Many organisations will identify information as an area of their operation that needs to be protected as part of their system of internal control. (Nigel Turnbull, 2003, p. xi)
Competitive advantage … is dependent on superior access to information. (Robert M Grant, 2000, p. 186)
Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders. (Ronald Reagan, 1989)
Law | Rights established |
---|---|
Data Protection Act 1998 | Protects individuals against the use of personal information by another individual or organisation. |
Freedom of Information Act 2000 | Provides individuals with the right of access to information held by public authorities and those providing services for them. |
Computer Misuse Act 1990 | Protects the right of individuals and organisations to preserve the confidentiality and integrity of their computer data. |
Copyright Designs and Patents Act 1988 | Protects intellectual property, i.e. protects the interests of an individual, or an organisation that employs such individuals, whose ownership of novel, creative or inventive work is recognised in law. |
Electronic Communications Act 2000 | Protects the interests of society by restricting the use of cryptographic techniques so that the Government and its authorised agents are able to decrypt any message that is legitimately intercepted. |
Human Rights Act 1998 | Protects the right of individuals against unreasonable disruption of and intrusion into their lives, while balancing this individual right with those of others. |
Regulation of Investigatory Powers Act 2000 | Protects the originators of electronic communication from its interception without lawful authority and protects employees from unreasonable monitoring. |
Public Interest Disclosure Act 1998 | Protects employees who, in the public interest, disclose criminal or civil wrongdoing by their employer. |
Law | Example |
---|---|
Data Protection Act 1998 | Relevance to OU: governs the storage and use of information about staff and students. |
Effect: the University is careful to communicate its policy to staff and students and to monitor internal compliance. | |
Freedom of Information Act 2000 | Relevance to OU: establishes the public's right of access to information relating to policy, decision-making and use of public funds by the University. |
Effect: the University has systems to ensure that relevant information is either publicly available (e.g. in the OU Library) or appropriately archived. | |
Computer Misuse Act 1990 | Relevance to OU: protects the University's computer systems from unauthorised access. |
Effect: the University has systems for monitoring potential abuse. | |
Copyright Designs and Patents Act 1988 | Relevance to OU: protects the rights of the University with regard to its published materials. |
Effect: all materials associated with this and other courses are copyrighted. | |
Electronic Communications Act 2000 | Relevance to OU: limits the cryptographic protocols that can be used by the University. |
Effect: restricts the protocols used by staff for remote computer access. | |
Human Rights Act 1998 | Relevance to OU: the University affects the lives of people. |
Effect: regulates the activities of the University among the communities within which it works. | |
Regulation of Investigatory Powers Act 2000 | Relevance to OU: the University uses much electronic communication and has many employees. |
Effect: gives the University an assurance that its electronic communication cannot be unlawfully intercepted and limits the University's power to monitor staff activity. | |
Public Interest Disclosure Act 1998 | Relevance to OU: the University is an employer. |
Effect: the University has a ‘whistle-blowing’ procedure which guides employees in what to do if they believe the University has engaged, or intends to engage, in criminal or civil wrongdoing. |
Type of organisation | Imperative |
---|---|
publicly listed company (plc) | Combined Code and Turnbull Report (pp. 19–21) |
organisation in supply-chain relation with a plc | Indirect pressure of Combined Code and Turnbull Report (pp. 21–22) |
UK Government (HMG) | Turnbull adapted as Orange Book (p. 22) |
non-governmental organisation (NGO) | Turnbull adapted as Orange Book (p. 22) |
non-departmental government body (NDPB) | Turnbull adapted as Orange Book (p. 22) |
organisation in supply-chain relation with HMG, NGO, NDPB | Indirect pressure of Orange Book (p. 22) |
Participants should respect the legitimate interests of others. Given the pervasiveness of information systems and networks in our societies, participants need to recognise that their action or inaction may harm others. Ethical conduct is therefore crucial and participants should strive to develop and adopt best practices and to promote conduct that recognises security needs and respects the legitimate interests of others.
The Plan activity … is designed to ensure that the context and scope for the ISMS have been correctly established, that all information security risks are identified and assessed, and that a plan for the appropriate treatment of these risks is developed. It is important that all stages of the Plan activity are documented for traceability and for the management of change. (Part 2 of the Standard, Annex B.2.1, p. 22)
management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security.
The Senate and management of the Open University are committed to preserving the confidentiality, integrity and availability of all the information assets of the organisation in order to maintain its competitive advantage, legal and contractual compliance, image, and reputation. All employees of the organisation are required to comply with this policy and with the ISMS that implements this policy. Certain third parties, defined in the ISMS, will also be required to comply with it. This policy will be reviewed when necessary, and at least annually.
The Senate and management of the Open University are committed to the inclusion of information security in the University's mission and business objectives, and to the continuous improvement of information security provisions as the business environment changes. All staff will receive security awareness training appropriate to their role. The University is committed to comply with, and achieve certification to, BS 7799.