Comparing documentation by referencing the support documentation in

Topic: EducationStudent
Sample donated:
Last updated: August 20, 2019

Comparing the documentation between UCL and Harvard, UCL have clear documents for each policy. Whereas Harvard have 15 policy statements which are then outlined in further documentation, such as levels of data security which is then split into users, devices, servers and paper and physical copies. This means that reading policies that apply to people or devices is quite straightforward however the format that UCL implement to display their documentation in separate pdfs makes it easier to read the policies that apply to people and devices. However to read UCL’s supporting policies requires signing into their intranet, therefore we do not have access to read the supporting policies and compare them to Harvard’s policies.

An improvement for Harvard would be to not have multiple areas of documentation and instead have one main documentation similar to UCL, however UCL could make an improvement in their documentation by splitting policies into specific levels such as users, devices and servers.Harvard’s policy statements reference the requirements documentation using codes. Codes for the requirements for users start with a U, codes for the requirements for devices start with a D, codes for the requirements for servers start with SA. Each code is then followed by a number. This is ideal for clear requirements for people and devices that are affected by each policy. Whereas UCL have a main information security policy and support policies however these support policies are never referenced in the main information security policy.

Don't use plagiarized sources.
Get Your Custom Essay on "Comparing documentation by referencing the support documentation in..."
For You For Only $13.90/page!


Get custom paper

This could lead to staff members or students ignoring supporting policies. UCL could make an improvement in their documentation by referencing the support documentation in the security policy where the support policy would be directly applicable to the security policy being explained. When looking into how to report a security incident and exposure of confidential information Harvard give steps to follow if high risk confidential information which includes level 4 or level 5 may be exposed however they give different steps if the information exposed is confidential information such as harvard university ID numbers or level 2 or level 3 research information, however they don’t clarify on the report web page what classifies as level 2, 3, 4 or level 5 information. Whereas UCL’s User Guide to UCL’s Information Security Policy states that all suspected security problems including any suspected or actual breaches involving personal information must be reported to the Data Protection Officer.

Breaches of physical security (such as the theft of equipment) should be reported to UCL Security. An improvement for Harvard would be to clarify what classifies as level 2, 3, 4 and level 5 information in the report an incident web page. UCL use technical wording which is explained in a separate glossary where as Harvard ‘s wording of documentation is clear and concise. UCL’s documentation may lead to other departments which are not IT related not fully understanding the policy, whereas Harvard’s documentation is readable by all departments. An improvement for UCL would be to remove all technical wording from their security policies. UCL do not mention users passwords in their main security policy however they do have a supporting policy titled “UCL Password Policy and Principles” which is unavailable unless signing into UCL’s intranet.

Whereas Harvard have a policy titled “All users are responsible for protecting their Harvard passwords and other access credentials from unauthorized use” which applies to passwords for users, devices and servers. This states “the use of strong passwords which are of sufficient length and complexity to reasonably protect them from being guessed by humans or computers.” UCL could make improvements by having their password policy globally accessible and referenced within the main policy.

Harvard has a policy called “Vendors contract” which states that written contracts must be executed with all vendors and other parties who collect, process, host or store Level 3 or 4 information. Where as UCL do not mention vendors in their main policy however they do provide a data protection document as a support policy for their information security policy which is their main policy. However we cannot access the data protection document as it requires signing into the UCL Intranet. As an improvement UCL could reference the data protection policy in their main policy and also ensure they have policies relating to vendors of the university. UCL have a policy which states that “Managers are reminded via the standard checklist to ensure that the online information security awareness training is completed.

” This implies that every employee of UCL must complete security awareness training, whereas Harvard have a policy that states only staff members that have authorised to use confidential information must annually acknowledge the confidentiality agreement and review information security awareness for staff. This implies that only certain Harvard staff members that deal with level 4 or level information have to complete security training. Harvard could improve this policy by stating that all staff members must complete security training.UCL last updated their policy on the 6th September 2016 and Harvard do not mention when they last updated their policy. This could be improved and updated by Harvard to ensure employees and students are aware of any changes to their security policy.To summarise there are improvements Harvard and UCL can implement to improve their security policies.

Choose your subject

x

Hi!
I'm Jessica!

Don't know how to start your paper? Worry no more! Get professional writing assistance from me.

Click here