Information Security Policy

  1. Approval and binding effect

The following Policy was approved by the Governing Body of Merton College (“the College”) on Wednesday, 3rd October, 2018. 

Any amendments to this Policy require the Governing Body’s approval. The Governing Body approved amendments to this Policy on 19 June 2023.

This Policy shall be reviewed annually to ensure that any new developments are covered and protected.

All members of the College and all employees or other staff of the College are bound by these Regulations and must comply with them. For the avoidance of doubt any reference to employees or staff shall include permanent, temporary, contract and other support staff as applicable ; and “members” include both Fellows and Junior Members.

This Policy shall be communicated to users and relevant external parties, and a link to it will be provided from the College’s website.

Wilful failure to comply with this Policy and the Baseline will be treated extremely seriously by the College and may result in disciplinary action against a group and/or an individual.

2. Scope and Purpose

This Policy outlines the approach of the College to information security management and provides the guiding principles and responsibilities to ensure the College’s information security objectives are met.

This Policy is applicable across the College and individually applies to:

  • all individuals who have access to the College’s information and technologies;
  • all facilities, technologies and services that are used to process the College’s information;
  • information processed, in any format, by the College pursuant to its operational activities;
  • internal and external processes used to process the College’s information; and
  • external parties who provide information processing services to the College.

The College’s objectives for information security are that :

  • a culture is embedded to ensure that in all teaching, research and administration activities information security is considered;
  • individuals are aware and kept informed of their information security responsibilities;
  • information risks are identified, managed and mitigated to an acceptable level;
  • authorised users can securely access information to perform their roles;
  • facilities, technologies and services adequately balance usability and security;
  • implemented security controls are pragmatic, effective, and measurable;
  • ​​​​​​​contractual, regulatory and legal obligations relating to information security are met; and
  • ​​​​​​​incidents are effectively managed and resolved, and are learnt from to improve the College’s control environment.​​​​​​​

Support and guidance for departments are offered by the Merton IT Department which in turn is supported by the central University of Oxford Information Security team, “InfoSec”.

3. Information Security Policy Framework (“ISPF”)

Information is critical to the College’s operations and failure to protect information increases the risk of financial and reputational losses.  The College is committed to protecting information, in all its forms, from loss of confidentiality, integrity, and availability, ensuring that:

  • all relevant employees and members of the College complete information security awareness training;
  • information security risk is adequately managed and risk assessments on IT systems and business processes are performed where appropriate;
  • all relevant information security requirements of the College are covered in agreements with any third-party partners or suppliers, and compliance against these is monitored;
  • appropriate information security controls are implemented to protect all IT facilities, technologies, and services used to access, process and store the College’s information;
  • all information security incidents are reported in a timely manner via appropriate internal channels, information systems are isolated, and incidents properly investigated and managed;
  • Information Asset Owners are identified for all the College’s information assets, assets are classified according to how critical and sensitive they are, and rules for their use are in place; and
  • information security controls are monitored to ensure they are adequate and effective.

To provide the foundation of a pragmatic information security framework, the College will implement a set of minimum information security controls as set out in College regulations and the College’s handbooks (to be known as ‘the Baseline’). ​​​​​​​

Where research, regulatory or national requirements exceed the Baseline, controls will be increased at necessary service or project level. Where it is not possible or practicable to meet the Baseline, exceptions will be documented to justify the deviation and appropriate compensating controls will be put in place. The Baseline will support the College in achieving its information security objectives.

4. Responsibilities and Compliance

The following bodies and individuals have specific information security responsibilities:

The Finance Bursar is accountable to the Governing Body for management of the information security risks to the College’s Fellows, employees, Junior Members and other members. 

The Finance Committee has responsibility for overseeing the management of the information security risks to the College's Fellows, employees, Junior Members and other members.

The Domestic Bursar is responsible for establishing and maintaining such arrangements as may be necessary to ensure the availability, integrity and confidentiality of the College’s information.

The Data Protection Officer is (as set out in more detail in the Data Protection Policy) responsible for monitoring internal data protection compliance, advising on the College’s data protection obligations and acting as a point of contact for individuals and the ICO.

The Head of IT is responsible for the implementation of information security arrangements for the computer and digital information systems operated internally by the College. The Head of IT is responsible for the provision of expert technical advice in relation to computer and digital information security arrangements with any third party partners or suppliers.

Users are responsible for making informed decisions to protect the information that they process.

The College shall conduct information security compliance and assurance activities, facilitated as appropriate by the University’s Information Security Team, to ensure information security objectives and the requirements of the ISPF are met.

5. Review and Development

This Policy, and supporting ISPF documentation, shall be reviewed and updated annually by the Finance Bursar, the Domestic Bursar, and the Data Protection Officer and approved by the Governing Body after review by the Finance Committee and the Statutes and Bylaws Committee to ensure that they remain operationally fit for purpose; reflect changes in technologies; are aligned to relevant best practice; and support continued regulatory, contractual and legal compliance.