Information Security Management System – Policies & Procedures
Information Security Management System (ISMS)
Policies and Procedures
These documents are important to keep you, data and the University’s reputation secure.
The IRC Information Security Management System (ISMS) sets the procedures for protection in line with the University of Leeds Information Protection Policy. Through the IRC ISMS the University of Leeds commits to protect the security of information and information systems handled by the IRC.
IRC Information Governance and Security Policy
This policy sets the statement for information governance and information security within the IRC ISMS scope. .
IRC Framework of the Information Security Management System
This document defines the goal, context and scope of the IRC ISMS. It defines the ISMS objectives and requirements for information security. The purpose of this is to set the information security framework for IRC operations and management in support of the University’s Information Protection Policy and other relevant security policies.
IRC Information Governance Training Procedure
This document sets the procedure for training all IRC users and staff in the role of Information Governance. This includes recording and monitoring participation and competence in training, and communicating the implications of non-conformance.
The purpose is to develop a culture of best practice in information governance that contributes to the successful delivery of the ISMS. It has been designed to ensure that training addresses the IRC Framework of the ISMS objectives with consistency.
IRC User Agreement
This document defines the conditions to be abided by during use of the IRC facilities. The IRC services, infrastructure and resources are for use in secure data handling. They are provided or arranged by the University of Leeds and maintained by the IRC Data Services Team. The user accepts the conditions of use by signing an IRC User Agreement, which is counter-signed and stored by the IRC Data Services Manager. An agreement is required prior to use of the IRC data services and credentials by a user. It can be used for one or multiple projects.
IRC Event Handling Procedure
This document sets the procedures for handling security events that threaten or breach information security in the context of the IRC ISMS scope. They are to be followed if unexpected risks are raised or incidents occur. This includes procedures for reporting, communication and escalation.
IRC Research Data Management Policy
This document sets the policy for Research Data Management within the IRC. The policy ensures that data is appropriately managed in accordance with any legal, ethical and governance requirements. It sets the requirement for research data management plans and the allocation of responsibility and costs. It covers the University of Leeds data registry and the submission of derived (publication-supporting) datasets into repositories.
IRC Data Handling Summary
IRC processes are based on international standards and legal requirements for the confidentiality, availability and integrity of data. Data handling procedures are determined by the IRC’s Information Security Management System for which the IRC are seeking ISO 27001 (Information Security Management) accredited certification; and compliance with the NHS Digital Information Governance Toolkit.
IRC Policy on Data Transfer
This document sets the policy for the transfer of data in and out of the IRC, and between secure zones in the IRC. This includes transfer between the IRC gateway, storage, data services and Virtual Research Environment (VRE) zones, and between firewalled applications and virtual machines within these zones. It sets out the ISMS scope boundary and how to manage data as it crosses this boundary during transfer in and out of the IRC.
IRC Information Security Communication Procedure
This document sets the procedure for formal communications regarding information security that relates to elements within the scope of the IRC ISMS. The purpose is to ensure that relevant issues of information security are communicated to relevant individuals with clarity and consistency. This ensures that people have the necessary knowledge to carry out their responsibilities for information security.