OfS privacy

Information security

The overwhelming majority of OfS’ information is held in our IT systems. This enhances our ability to use, communicate, share and store information in a variety of ways, drawing on the capability of new technology.

This capability enables OfS to use the information in its possession to act as the authoritative voice for higher education by informing policy, raising challenging questions and functioning efficiently in its role as a funder and regulator of the higher education sector in England.

At the same time, we recognise that using new technologies also bring a risk of the inadvertent, uncontrolled loss of information.

We support the Government’s efforts to manage information owned and used by the public sector in a secure way that is designed to protect the confidentiality, integrity and availability of business and personal information. For this reason, we have actively engaged with the Security Policy Framework since it was first introduced by the Government in 2008.

The purpose of this document is to describe our approach and commitment to protecting the information we hold.

Our approach to information security

OfS aspires to provide a consistently high quality service to its stakeholders across all that it does. This requires our approach to the management of IT and communication to be supported by robust and secure systems and processes that protect information and, in particular, personal data.

We seek to protect our information assets, which include large quantities of personal data concerned with our policy analysis and funding roles, wherever, however, and whenever they are created, processed, transmitted, shared or stored.

Our intention is to protect our information assets from misuse of any type, including unauthorised disclosure, modification and destruction. We manage the development and continuous improvement of our information security processes through drawing on UK government and international standards.

This is achieved through:

utilising cross-council groups with oversight of this work
assigning senior and other roles with specific responsibilities in this work
using regularly reviewed policies, procedures, guidance and technical responses to issues arising
all staff completing required training packages
regular independent review by internal audit
assessing and responding to information incidents that arise
reporting annually to our Audit Committee and incorporating a statement about information security in the Governance Statement in our annual accounts
assessing our standing in this work and making annual returns to our sponsoring department in government (the Department for Education) about our information security arrangements.

Our information security policies and standards

Our information security policies are designed to support staff in achieving the level of confidentiality, integrity and availability in the use of our information that we seek to have. These policies are a blend of technical, behavioural, cultural, ethical and process driven approaches to information security.

As a relatively small organisation, we are able to maintain a high level of consistency and awareness in the application of these policies, which cover a wide range of issues, for example:

information asset management
access control (including technically applied segregation of duties)
HR policies and procedures, including mandatory e-training programmes
technical and standards policies, including the acquisition, development and maintenance of hardware and software
physical, environmental and technical security measures for example, data loss protection and encryption
incident management
independence in roles and responsibilities for example, the Senior Information Risk Officer has an assurance role independent from the line management of IT services
business continuity.

Business continuity and disaster recovery

Part of any organisation’s commitment to maintaining the confidentiality, integrity and availability of its information is to have in place a way to protect its resources in the event of a serious incident that affects its ability to carry out its business.

OfS therefore has in place a business continuity plan, which takes into account the risks we face, and which incorporates a disaster recovery plan. The key features of these are:

our main servers (and therefore our data) are offsite in a secure facility
the network we use is managed by professional staff who operate a cyber-security protection service from which we benefit
our technical infrastructure operates with a number of firewalls to protect against external attack
we use anti-virus and anti-malware software, security certification, adopt a standard approach to patching, use two-factor authentication and complex passwords for access to systems and operate perimeter and other physical controls
we are able to monitor activity across our network
we have a back-up and penetration testing regime in place
staff can access critical parts of our systems remotely so critical functions can continue in the event of an emergency
our key processes and operating procedures are documented and held remotely from OfS’ systems
we have made assessments of the action we would take in a number of scenarios for example, a flu pandemic.

Compliance and audit

To support staff responsible for the management and security of information, our governance function independently reviews and provides assurance over what we do.

We use our internal auditors to review information security arrangements regularly.

We meet the requirements of the Government (Cabinet Office) Security Policy Framework, which requires an annual self-assessment. We are also required to periodically provide assurance to government about aspects of our information security arrangements for example, in respect of the large data sets we hold, including those used to calculate OfS funding for institutions.

We regularly review our information security policies under the oversight of our Information Security Steering Group.

We report on our information security arrangements to our Audit Committee at least annually and make a statement about these arrangements in our annual accounts.

Help us improve your experience

Describe your experience of using this website

What were you doing on the website? * Is there anything you liked or disliked? *

OfS privacy

Information security

Share this page:

Thank you for your feedback