Information Security

New Information Security Policy January 2018 - Key Points

Key points you need to know about the Information Security Framework and how it affects you

As of the 8th January 2018 the new information security policy is in force. It will introduce a number of changes and updates which all staff and students should be aware of. We have outlined the key points below:


  1. A notable development within the Policy refresh is the introduction of an overall Information Security Framework. This Framework comprises the Policy, the supporting Standards and Procedures.  The Standards and Procedures further define information security control requirements that encompass a broad range of people, process and technology elements.  These are currently in development and will be launched during 2018.


  1. This Policy Framework applies to:
  • Everyone within the University of Edinburgh who accesses University information assets or technology.  This includes users*, students and alumni.
  • Technologies or services used to access or process University information assets.
  • Information assets processed in relation to any University function, including by, for, or with, external parties.
  • Information assets that are stored by the University or an external service provider on behalf of the University.
  • Information that is transferred from and/or to the University for a functional purpose.
  • 3rd party, public, civic or other information that the University is storing, curating or using on behalf of another party.
  • Internal and/or external


*Users are defined as all staff, contractors, visitors, consultants and any third parties engaged to support University activity and who have any authorised access to any University information assets. 


  1. The refreshed Policy Framework addresses three key areas:
  • Protecting the confidentiality, integrity and availability of the University’s key information assets and technology.
  • Takes a risk-based holistic approach to managing information security risks.
  • Provides a flexible, outcome based, approach that recognizes the different operational needs across different areas within the University.


  1. To embed these new requirements, and to meet wider good practice, Information Security Awareness training is mandatory for all employees and for anyone having University authorised access to our systems or data.  The current online training material is being replaced to coincide with the Policy launch.


  1. The Head of College or Support Group is accountable for ensuring adequate and effective information security controls are in place within their area of responsibility.


  1. The Policy is owned, managed and developed by the Chief Information Security Officer (CISO) on behalf of the University.


The full version of the policy is available here.