Heads of Department
As Head of Department you are accountable for the implementation of the University's Information Governance Policies. You also assume the role of Senior Information Risk Owner for your department.
Oversight & Leadership
- Promote the highest ethical standards in the design, conduct and reporting of research (Research Integrity)
- Take overall ownership of information security in the department (Information Security)
Policy Implementation
- Effective implementation of information security policy within the department (Information Security)
- Define and document specific information security policy requirements for the department (Information Security)
- Identify and assign specific roles related to information security
- Embed information security in management framework
- Perform regular reviews against the policy (Information Security)
- Report on compliance with the policy (Information Security)
- Ensure compliance with baseline information security standards (Information Security)
- Ensuring that the risk management policy is implemented and followed in the department (Risk Management)
- Ensuring their staff and students observe the research integrity policy (Research Integrity)
- Providing support to Information Compliance Team (Data Protection)
Asset Management
- Controls access to records - Access to current and non current records restricted to department (Records Management)
- Up to date inventory of all asset usage (Information Security)
- Records of processing activities (Data Protection)
- Agreeing arrangements (with researcher) as to where the researcher’s research data will be stored and who will have access to this after the researcher leaves (or retires from) the University (Research Data Management)
- Implement additional security controls for confidential data (Information Security)
- Classify information assets (Information Security)
- Develop handling rules (Information Security)
- Risk Management Maintenance of departmental risk register (Risk Management)
- Reviewing data privacy risks (Data Protection)
Incident Management
- Ensure local procedures are in place for management of information security incidents (Information Security)
- Ensure compromised systems are isolated (Information Security)
- Ensure all incidents and breaches are reported (Information Security)
- Cooperate with IS Team to ensure vulnerabilities are fixed (Information Security)
Staff Awareness & Training
- Staff awareness including training, job descriptions, 3rd party agreements (Data Protection)
- Ensuring that staff are aware of the risk management policy, associated explanatory guidance, and any requirements that the policy places upon them or their activities (Risk Management)
- Arrange compulsory information security training (Information Security)
- Ensure staff fully understand information security as integral part of day to day work (Information Security)
- Information security training is part of induction (Information Security)
- Keep a record of information security training (Information Security)
- Repeat training annually (Information Security)
- Ensure staff awareness of classification and handling rules (Information Security)
Departmental Processes (Research, Admin and Teaching, Business as Usual | Projects)
- Compliance with ICT requests (Data Protection)
- Policies & procedures where appropriate (Data Protection)
- Implement technical and procedural arrangements for information security (Information Security)
- Privacy by design, Impact Assessments (Data Protection)
- Effective local review and approval of departmental research applications before submission to CUREC (Research Integrity)
- Procedures for key activities in data quality management (Data Quality)
- Regular review of data quality procedures (Data Quality)
- Embedding data quality procedures in local work practices (Data Quality)
Work with Third Parties
- Privacy notices (Data Protection)
- Data Sharing (Data Protection)
- Record access by third parties (Information Security)
- Due diligence around contracts and security in third party agreements (Information Security)
- Review arrangements in existing contracts (Information Security)
- Monitor compliance (Information Security)