The overwhelming majority of HEFCE’s information is held in our IT systems. This enhances our ability to use, communicate, share and store information in a variety of ways, drawing on the capability of new technology.
This capability enables HEFCE to use the information in its possession to act as the authoritative voice for higher education by informing policy, raising challenging questions and functioning efficiently in its role as a funder and regulator of the higher education sector in England.
At the same time, we recognise that using new technologies also bring a risk of the inadvertent, uncontrolled loss of information.
We support the Government’s efforts to manage information owned and used by the public sector in a secure way that is designed to protect the confidentiality, integrity and availability of business and personal information. For this reason, we have actively engaged with the Security Policy Framework since it was first introduced by the Government in 2008. See the latest version of the Security Policy Framework.
The purpose of this document is to describe our approach and commitment to protecting the information we hold.
Our approach to information security
HEFCE aspires to provide a consistently high quality service to its stakeholders across all that it does. This requires our approach to the management of IT and communication to be supported by robust and secure systems and processes that protect information and, in particular, personal data.
We seek to protect our information assets, which include large quantities of personal data concerned with our policy analysis and funding roles, wherever, however, and whenever they are created, processed, transmitted, shared or stored. Our intention is to protect our information assets from misuse of any type, including unauthorised disclosure, modification and destruction. We manage the development and continuous improvement of our information security processes through drawing on UK government and international standards.
This is achieved through:
- utilising cross-council groups with oversight of this work
- assigning senior and other roles with specific responsibilities in this work
- using regularly reviewed policies, procedures, guidance and technical responses to issues arising
- all staff completing required training packages
- regular independent review by internal audit
- assessing and responding to information incidents that arise
- reporting annually to our Audit Committee and incorporating a statement about information security in the Governance Statement in our annual accounts
- assessing our standing in this work and making annual returns to our sponsoring department in government (from 2016-17, the Department for Education) about our information security arrangements.
Our information security policies and standards
Our information security policies are designed to support staff in achieving the level of confidentiality, integrity and availability in the use of our information that we seek to have. These policies are a blend of technical, behavioural, cultural, ethical and process driven approaches to information security.
As a relatively small organisation, we are able to maintain a high level of consistency and awareness in the application of these policies, which cover a wide range of issues, for example:
- information asset management
- access control (including technically applied segregation of duties)
- HR policies and procedures, including mandatory e-training programmes
- technical and standards policies, including the acquisition, development and maintenance of hardware and software
- physical, environmental and technical security measures for example, data loss protection and encryption
- incident management
- independence in roles and responsibilities for example, the Senior Information Risk Officer has an assurance role independent from the line management of IT services
- business continuity.
We are keen to publicly demonstrate our standards and hold the Cyber Essentials standard promoted by the Government.
Business continuity and disaster recovery
Part of any organisation’s commitment to maintaining the confidentiality, integrity and availability of its information is to have in place a way to protect its resources in the event of a serious incident that affects its ability to carry out its business. HEFCE therefore has in place a business continuity plan, which takes into our account the risks we face, and which incorporates a disaster recovery plan. The key features of these are:
- our main servers (and therefore our data) are off site in a secure facility
- the network we use is managed by professional staff who operate a cyber-security protection service from which we benefit
- our technical infrastructure operates with a number of firewalls to protect against external attack
- we use anti-virus and anti-malware software, security certification, adopt a standard approach to patching, use two-factor authentication and complex passwords for access to systems and operate perimeter and other physical controls
- we are able to monitor activity across our network
- we have a back-up and penetration testing regime in place
- staff can access critical parts of our systems remotely so critical functions can continue in the event of an emergency
- our key processes and operating procedures are documented and held remotely from HEFCE’s systems
- we have made assessments of the action we would take in a number of scenarios for example, a flu pandemic.
Compliance and audit
To support staff responsible for the management and security of information, our governance function independently reviews and provides assurance over what we do.
We use our internal auditors to review information security arrangements regularly.
We meet the requirements of the Government (Cabinet Office) Security Policy Framework, which requires an annual self-assessment. We have secured the Government-promoted Cyber Essentials standard. We are also required to periodically provide assurance to government about aspects of our information security arrangements for example, in respect of the large data sets we hold, including those used to calculate HEFCE funding for institutions.
We regularly review our information security policies under the oversight of our Information Security Steering Group.
We report on our information security arrangements to our Audit Committee at least annually and make a statement about these arrangements in our annual accounts.