Projects control procedure
Defining our approach to information security in projects.
Procedure about projects and information security
Contents
Policy statement
This control procedure defines the university’s approach to information security in projects, and directly supports the following policy statement from the Information Security Policy:
“Information security requirements will be defined during the development of business requirements for new information systems or changes to existing information systems. Controls to mitigate any risks identified will be implemented where appropriate. Systems development will be subject to change control and separation of test, development and operational environments.”
“The University’s information security requirements will be considered when establishing relationships with suppliers, to ensure that assets accessible to suppliers are protected. Supplier activity will be monitored and audited according to the value of the assets and the associated risks.”
Audience
This procedure is intended to be read and understood by IT and Digital and other staff who are responsible for the implementation of IT systems; and for those involved in scoping projects that may require the processing of the university’s information.
Control statements
The university’s information security requirements will be considered when setting up new projects that may include new IT systems and services, or carrying out changes or upgrades to existing systems and services which may generate information security or data privacy implications.
Project initiation
Prior to the commencement of a new project or a change to an existing IT system or service, the lead project manager should work alongside colleagues within the Information Security and Legal teams to complete the following assessments:
- Information Security Assessment
- Data Protection Impact Assessment (DPIA)
Where the outcome of the assessments above identifies significant risks, a full risk assessment will be conducted to review the risks further and to determine if residual risks are acceptable to the University, as defined in the Information Risk Management Policy. For further guidance on conducting risk assessments please see the Risk Assessment Control Procedure or speak to the Information Security Team.
The Information Security Team must formally assess the use of third-party IT systems and services including cloud hosting services. Project managers and sponsors will ensure that vendors adequately address security, privacy and all other IT system requirements. The use of such systems and services must comply with the University’s Information Security Policies.
Responsibilities
When a new project is being considered or where there is a requirement for a change to an existing system or service that may instigate information security or data privacy implications, the project sponsor or service owner will be accountable for ensuring that these assessments are conducted. The project manager or business analyst will be responsible for following the process set out above.
Project managers/service or system owners must take into account the confidentiality and value of the information involved, and the outcome of a serious incident (for example information loss, user account misuse, compromise or a technical failure) when determining what security controls and risk mitigation measures to use.
Residual risks must be recorded in relevant local risk registers and monitored appropriately. Any medium or high risks should be discussed with the Information Security team.
The university’s Information Security and Legal teams will support project managers or service owners with the overall assessment of information security and data privacy risks where required.
Compliance
Failure to comply with this procedure could result in action in line with the university’s disciplinary procedure or performance improvement procedure.
Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Governance Board.
Related documents
This control procedure needs to be understood in the context of the other policies and procedures constituting the university’s Information Security Management System.
Browse Information Security policies and control procedures
Review
A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.
Version: | 1.3 |
Release date: | 10/09/2024 |
Review date: | 10/08/2025 |