skip to primary navigationskip to content
 

About information management

training_cam_2.jpg

What is information management?

Information management is the term used in order to show us how we handle our data securely. These days we handle vast amounts of information, and this in turn brings up a number of concerns. Mainly security, accessibility, compliance with contractual and legal requirements, and process problems.

Due to the nature of the University, it can be hard to get a handle on exactly what information we have. The Information Management department here at UIS is here to provide guidance, education, policy, and heath checks in order to assist individual institutions, departments and colleges.

Introduction

The University has no formal central function for information management (IM), although it is recognised that legal and regulatory requirements are fully met, and there are pockets of good practice around the organisation. There are some overarching policies and procedures in place, but it is not known how completely these are applied across the University.  There is no formal requirement to include information management or security issues in risk registers and therefore it is not known what the overall level of risk to the university is in this area.

The focus on this area is increasing in a number of ways:

  • Current and evolving threats; information is being published on a daily basis on the latest new threats identified.
  • Potential consequences are increasing as we become more reliant on information systems.
  • Expectations of government and research funding bodies are increasing
  • Information Management workstrand August 2014, as part of the UIS organisational design work.  This produced a set of recommended tasks that the University should undertake in order to improve risk management in this area.
  • ISC approval October 2014, to form an Information Management division as part of the new UIS and agreement to funding for 2 additional posts on top of one current, and one additional fixed term post to assist with implementation.
  • The Cyber Security Audit January 2015, conducted by our internal auditors Deloitte which ran concurrently with the above.

Overall, organisations are as vulnerable as the ‘weakest link’, be that people, process or technology.

University Priorities

Our strategic priority areas for Information Management and Security can be summarised as follows:

  • Complying with University Statutes and Ordinances, legal and regulatory requirements
  • Protecting, promoting and extending our research
  • Protecting and preserving our student, alumni and teaching data
  • Preserving academic freedom
  • Preventing security breaches
  • Contributing to RPC's goal of ‘enabling excellent research, underpinned by renewed infrastructure that will comprise “the best research environment for the next 50+ years” ’

Approach

We are proposing to develop an approach that blends direct accountability for university owned information assets and the provision of guidance to institutions on implementing local approaches that are proportional to the threats and risks involved.  Internal audit will be asked to oversee progress with implementing the arrangements.

It is standard practice to use a maturity model for benchmarking purposes.  UIS has selected the Information Assurance Maturity Model (IAMM) from Communication-Electronics Security Group (CESG)  which will help us set expectations and provide us with goals for the coming years.  At this stage, as we have not yet begun to build an organisation wide Information Management function, as we are not of that scale.

However, what we can do is help & support local institutions and organisations within the University of Cambridge, to help them remain compliant, assist in incident handling and investigations, and provide education to your user base.