Introduction to Information Security
Protecting information created, received and shared by staff and students across the University
What you need to know
About the Information Security team
The Information Security team is responsible for the development, operation and continuous improvement of information security across the University ensuring the availability, confidentiality and integrity of its information.
We define information security policies and procedures, advise on secure IT arrangements, provide training and practical advice that the University can use to meet business requirements while maintaining security. We are responsible for information security risk management and compliance, and the monitoring of IT systems to prevent and detect attacks.
We work closely with the University’s other Information Governance functions, supporting the Legal team with Data Protection compliance and contract reviews, and supporting the Records Management team with aspects of information asset management. We support the University’s SIRO (Senior Information Risk Owner), IAOs (Information Asset Owners) and IAMs (Information Asset Managers) in overseeing and promoting the effective management of University information to meet operational and legal requirements, and ensuring that the confidentiality, integrity and availability of University controlled information is maintained at all times.
- Tom Stoddart (Chief Information Security Officer): [email protected] | 07966 313571
Information Assurance
- Hannah Burling (Information Assurance Specialist: [email protected]
- Nicki Hargreaves (Information Assurance Specialist): [email protected]
Cyber Security Operations
- Ian Scott (Deputy Chief Information Security Officer): [email protected]
- Chris Luke (Security Analyst): [email protected]
- Dan Smith (Security Analyst): [email protected]
- Steve Fitzsimmons (Security Analyst): [email protected]
- Fred Skinner (Security Architect): [email protected]
Report an information security incident
An information security incident is:
- A suspected, attempted, successful, or imminent breach of security leading to the threat of or actual threat of or actual accidental, unlawful or unauthorised access, use, disclosure, breach, modification, or destruction of information, including personal information
- Interference with the operation of information systems
- A breach of Information Security Policy or Procedures, including the Acceptable Use of IT Systems
All users who access, use or manage University information are responsible for reporting information security incidents.
This includes concerns about the security of an IT account, computer or University IT service, as well as loss or disclosure of paper information, or weaknesses in a business process.
If you are aware of, or suspect, an information security incident is taking or has taken place, please report it by clicking the button below and completing the Assist form. Please provide as much detail as you can about the incident - you can find guidance on what to include here.
Responsible disclosure
Manchester Metropolitan University are committed to maintaining and continuously improving the security of our systems. We value the assistance of security researchers and others in the security community to assist in keeping our systems secure.
If you have discovered a security vulnerability that falls within the mmu.ac.uk domain name and all subdomains of mmu.ac.uk or any systems in use by the University, TLS configuration vulnerabilities or an indication that our services do not fully align with industry best practice, please email [email protected] and include:
- A description of the issue and where it is located – be as specific as possible.
- A description of the steps that led you to discover the issue.
- The entire URL (if applicable) and/or any IP addresses relevant to the vulnerability.
- Details of the affected platforms, components, operating systems and software versions.
- Any screenshots, including any log files (if applicable).
- Any reference to existing vulnerability information where relevant.
We ask that:
- You do not put any University data at risk, degrade performance of any of our systems, or conduct any form of attack.
- You act in a responsible manner and do not break any applicable laws.
- You alert us immediately if you can access anyone else’s data, personal or otherwise, including usernames or passwords. Please do not store, save or transmit this information.
- You do not attempt to prove any vulnerabilities. Any such action could be treated by the University as a potential misuse of the system and is therefore likely to lead to further action.
- You do not share vulnerability details except with the University Information Security team.
- You do not report generic vulnerabilities with no evidence of relevance to our systems.
In response to any responsible disclosure, we will ensure that:
- Information you provide will remain confidential, we will not share your data unless required by law.
- We keep you up to date with our progress and notify you when an issue is resolved.
- We will only ask you for any additional information if we need to investigate the issue further.
- Where necessary, a review will take place to update our practices to improve our security.
Please treat in a confidential manner any information associated with University systems, staff or students that you may have acquired or that you have otherwise become aware of that is not publicly available. Please do not share it with anyone other than emailing it to [email protected] as part of your responsible disclosure.
Contact us
For any information security advice, please contact the Information Security team. Email: [email protected]
Records Management enquiries
Please contact the University’s Records Manager. Email: [email protected]
Data Protection enquiries
Please contact the University’s Data Protection Officer. Email: [email protected]