Close
This page supports policy statement 6.3 in the new Information Security Policy
Introduction
Security controls must be implemented to protect UCL information and systems in a manner proportionate to their classification, value, and associated risks. Controls must support business requirements and ensure the confidentiality, integrity and availability of information at appropriate levels.
Effective security is achieved through a combination of technical, procedural, and organisational measures, applied consistently and reviewed regularly.
Summary of Policy Requirements
- Controls must be risk-based and aligned to information classification.
- The principle of least privilege must be applied to all systems and access arrangements.
- Additional controls must be considered in case of sensitive data or critical systems.
How to Comply
- Identify system classification and risk level before implementing controls.
- Apply any UCL standards that are relevant to the system, such as for:
- Secure system configuration,
- Access management,
- Monitoring and logging.
- Ensure only authorised users have access and privileged access is restricted and controlled.
- Perform regular security assessments and patching.
- Ensure systems are actively managed (not left unmanaged or unsupported).
- Where controls cannot be applied, document the exception and obtain approval from the risk owner and ISG.
- Regularly review and assess systems for vulnerabilities, as well as protect them against unauthorised access and misuse.
Further questions
If you have any questions that haven't been answered by the information on this page, please don’t hesitate to ask the Information Security Group.
Policy statement
System Custodians must ensure processes, technology, services, and facilities are protected by security controls that are appropriate to the classification of the associated information assets.