Skip to content
  • info@equracollege.org.uk
  • Twickenham, United Kingdom
  • How to Apply
  • Fees & Funding
  • Visit/ Open day
REGISTER NOW

Information Security Policy

1. Purpose

Equra College London (“Equra”) protects information to maintain confidentiality, integrity and availability. This policy sets minimum security requirements for all Equra information, systems, devices and accounts, including academic materials, student records, staff records, finance records and governance documents.

2. Scope

This policy applies to:

  • All staff, contractors, volunteers and authorised users of Equra systems
  • All devices used for Equra work (Equra-owned and approved personal devices)
  • All Equra information in any format (digital, paper, audio, video)
  • All platforms used for delivery and administration (email, website, learning platforms, cloud storage, HR/finance tools)

3. Key principles

Equra will:

  • Protect information based on risk and sensitivity
  • Limit access to a need-to-know basis
  • Apply secure-by-default settings
  • Maintain logs and audit trails where appropriate
  • Ensure security is built into procurement and partnerships
  • Respond quickly to incidents and learn from them

4. Information classification

Equra uses four information categories:

A) Public
Information intended for public release (website content, public prospectus materials).

B) Internal
Routine operational information not intended for public release (internal emails, routine timetables).

C) Confidential
Information that could cause harm if disclosed (student records, assessment materials, contracts, staff records, complaints).

D) Highly Confidential
High-risk information requiring restricted access (safeguarding records, health/adjustment records, disciplinary case files, security incident records).

Handling requirements increase by classification.

5. Roles and responsibilities

5.1 Governing Body

  • Overall accountability for security governance, risk oversight and resourcing.

5.2 Information Security Lead

  • Maintains this policy, provides guidance, coordinates incident response, and conducts periodic assurance checks.

5.3 System Owners (platform administrators)

  • Ensure systems are configured securely, access is reviewed, and changes are controlled.

5.4 All users

  • Follow this policy, complete required training, and report incidents immediately.

6. Access control

6.1 Accounts

  • Each user must have a unique account. Shared accounts are not permitted except where formally approved for operational necessity and managed securely.

6.2 Least privilege

  • Access must be limited to what is necessary for the role. Admin access is restricted and approved.

6.3 Joiners, movers, leavers

  • Access must be granted only after authorisation and removed promptly on role change or exit.

6.4 Access review

  • Access permissions for confidential and highly confidential systems must be reviewed at least every 6 months.

7. Authentication and password standards

7.1 Passwords must be strong and not reused across systems.
7.2 Multi-factor authentication (MFA) must be enabled for all accounts where available, especially admin accounts, email, and cloud storage.
7.3 Passwords must never be shared by email or message.
7.4 Where password managers are used, they must be reputable and access-controlled.

8. Device and endpoint security

8.1 Approved devices

  • Equra work should be carried out on Equra-managed devices where possible. If personal devices are authorised, they must meet minimum controls.

8.2 Minimum device controls

  • Device login protection (PIN/password/biometric)
  • Automatic screen lock
  • Up-to-date operating system and security patches
  • Anti-malware protection where applicable
  • Encryption enabled where available
  • No jailbroken/rooted devices for Equra access

8.3 Lost or stolen devices

  • Must be reported immediately. Equra may require remote wipe of Equra data where feasible.

9. Secure email and communications

9.1 Users must check recipient addresses carefully before sending.
9.2 Confidential information must not be sent to personal email accounts.
9.3 Sensitive attachments must be shared using secure links and access controls where possible.
9.4 Passwords for protected documents must be communicated through a separate channel.

10. Data storage and secure sharing

10.1 Approved storage

  • Equra information must be stored only in approved systems (cloud storage, learning platform, official drives). Local storage should be minimised.

10.2 Secure sharing

  • Use role-based access, expiry links, and limited permissions where possible.
  • Sharing highly confidential information must be restricted and logged where feasible.

10.3 Paper records

  • Must be stored securely (locked cabinets) and not left unattended. Printing should be limited.

11. Backups and availability

Equra will ensure appropriate backups and recovery arrangements for critical systems. Backup access must be restricted and tested periodically.

12. System security and patch management

12.1 Systems must be configured securely and kept up to date.
12.2 Critical security updates must be applied promptly.
12.3 Default passwords must be changed and admin interfaces protected.

13. Secure use of learning platforms

13.1 Course sites and content must be managed by authorised staff.
13.2 Assessment materials must be restricted to appropriate users and released according to assessment timelines.
13.3 Recording of sessions must follow Equra privacy rules and any published guidance to learners.

14. Procurement and supplier assurance

Where suppliers process or host Equra information, Equra will ensure appropriate security controls and contractual protections are in place, including confidentiality, access control, incident notification and data disposal requirements.

15. Security incidents and reporting

Any suspected security incident must be reported immediately to the Information Security Lead or Data Protection Lead, including:

  • Lost devices, suspicious emails, malware alerts
  • Accidental disclosure to the wrong recipient
  • Unauthorised access or account compromise
  • Missing records or unusual system activity

Incident response steps are handled under Equra’s Data Breach Incident Response Procedure.

16. Training and awareness

All staff and relevant contractors must complete information security and data protection training on induction and refresh it periodically. Equra may provide targeted training for administrators and managers.

17. Monitoring and compliance

Equra may monitor system use for security and compliance purposes, proportionately and lawfully. Breaches of this policy may result in access restriction and further action under relevant Equra procedures.

18. Review

This policy will be reviewed annually or sooner if required by incidents, new systems, partner requirements, or legal/regulatory change.