Information Security FAQ's for Research Funding

Information to assist staff to complete information security related questions when applying for research funding.

How does the University ensure that it complies with the Data Protection (DP) and Freedom of Information (FOI) Acts?

The University has produced compulsory on-line information security training for staff in addition to compulsory supplementary briefings for Information Assurance Coordinators, Heads of Department/Office/College and researchers. As well as information security, these training sessions cover data protection and freedom of information.

What is the University of Leicester data protection registration number and how to I get a copy of the DP registration?

You may obtain a copy of our registration with the ICO by going to Data Protection Public Register - if you enter the University's registration number Z6551415 and click Search Register this will display a copy of our registration which you can then print.

Does the university comply with information security management standards such as ISO 27001 and ISO 27002?

The University as a whole is not ISO 27000 series certified and not currently seeking certification. However its information security policies are based on the ISO 27000 series standard.

What audit measures have been implemented to help secure information within your organisation?

The University commissions annual internal and external audits which cover information security aspects. Actions recommended in audit reports and agreed by management are implemented.

What information measures have been implemented to help secure information within your organisation?

The University has a comprehensive suite of information security policies in place which all staff and students are required to comply with.

What physical security arrangements are in place where data is held or processed?

Answer this based on your knowledge of local building access control, door locks and door locking policy, secure filing cabinets, supervision of visitors, security staff etc. However, if data is held on University X: or Z: drives then secure centralized storage facilities in secure alarmed computer rooms are utilised. X: and Z: drive backups are also made and stored securely by IT Services.

What access controls and/or firewall controls are implemented and who manages them?

In departments with direct support from IT Services, the PCs are managed by IT Services. PCs have Windows software firewall configured by domain policy. For departments with direct support from IT Services local administrator access etc. is centrally managed, for other departments systems are managed by local computer staff. Data stored on the X: and Z: drives is on central storage facilities in secure alarmed computer rooms. The University network has stateful packet filtering firewall functionality at the Internet gateway, managed by IT Services.

What local System-level Security Policy (SLSP) do you have?

University information security policy applies; however, provide any relevant local policies that apply in your area.

Has the system ever been the subject of an information security risk review?

If this has been done, provide details of its scope, date, and confirm that all the necessary recommendations have been implemented or are within current work plans. IAS is willing to assist your department with risk assessment of an information asset if you arrange it in advance.

What arrangements have been implemented to routinely monitor and assure the security of your system?

State details of local arrangements. Usage of software on University IT account PCs is logged by IT Services. A Snort based IDS system is used at the Internet Gateway. Netflow data is logged. Various methods are used to detect potential security issues. Where a usage or network anomaly is detected, the cause is investigated. Any suspected misuse or policy violation is investigated and may be reported to Head of Department and the Registrar.

Indicate which software package and algorithm you propose to use where data encryption is to be used?

IT Services Second Line Support team is supporting encryption users by providing products which comply with the FIPS 140-2 security standard - see Data Encryption. For further information contact IT Service Desk (0116 252 2253, ithelp@le.ac.uk)

Is data encryption implemented to the minimum industry standard (256 bit)?

We believe all our supported solutions would be at least 256 bit except for Office 2007 encryption (which is understood to default to 128 bit.). Our cryptography policy also requires that cryptography standards, where specified in an agreement with a data provider, are met.

Describe the method(s) of information destruction that will be employed when the work is completed?

Data on central storage managed by IT Services, will be deleted in the normal way. If secure deletion of all data on a local disk is required then a program such as Boot and Nuke or Norton/Semantic GDisk32 would be used. The University has a contract for secure onsite shredding of paper documents as well as for the secure disposal; of IT equipment and hardware.

What provisions and policies does the University have in place for backing up its data?

Comprehensive provisions are in place and strictly adhered to in order to ensure that all data is backed up appropriately. These are outlined in the University’s Information Security Policies, particularly the Information Handling Policy (ISP-S7) and Use of Computers Policy (ISP-S9). Further detail and technical specifics of backup arrangements can be obtained from IT Services.

Share this page:

Request Information

To make a Data Subject Access Request, or a Freedom of Information Request, please contact IAS directly.