UCL Research Data Information Security Management System Environment Definition Policy #
Document Name: RISM12-Environment_Definition
Author: Tim Machin
Classification: Public
Version: 1.1
Last Review: 15/04/2025
Last Reviewed by: Finley Bacon
Approved by: OMG
Approved date: 12/03/2025
Review Period: 3 years
1. Document Overview #
This document describes the information that shall be maintained by the Trusted Research Environment Owner. The format of the information within the template will vary but the contents shall be controlled and owned by the Environment Owner.
2. Policy Scope #
This policy may be used to define any technical environment where the technical environment is classified as a Trusted Research Environment (Tier 3 or 4 Environment) and in scope of the ISO27001 certification. All sections of this template shall be completed and the Environment Definition shall be treated as documented information.
3. Environment and Data Classification #
The following characteristics of the environment shall be documented. Where an environment supports multiple data classifications (e.g. for supporting high availability as an option for specific studies or workloads), this shall be clearly conveyed in the documentation.
Environment Confidentiality Tier #
The environment shall be assigned a confidentiality tier as per the Data Classification and Environment Tiering Policy.
Environment Integrity #
The integrity of data an environment can handle shall be documented using the integrity classifications described in the UCL Information Management Policy.
Environment Availability #
The availability of the environment shall be documented using the availability classifications described in the UCL Information Management Policy.
4. Roles and Responsibilities #
The roles below shall be named and described in the Environment Definition documentation along with any specific variation related to the running of that environment.
- Environment Owner
- Environment IT Administrator
- Environment IT Developer
5. Documentation #
The location and format of documentation shall be described including any document management processes. This should cover local standard operating procedures, policies and instructions related to the environment.
The location of work instructions should be documented but may be excluded from document control.
6. Environment Asset Register #
The location and format of the asset register that documents the physical and virtual assets that make up the environment shall be described. Each asset should have an owner and support information related to any contracts, warranties or other agreements related to that asset.
7. Supporting Services #
Any supporting technical services shall be described. Where the service is described elsewhere (e.g. in a service definition document), a list may be sufficient. Where additional technical contract or process controls have been applied to an existing service, they should be described.
8. Technical Environment Description #
The technical environment shall be described. This should include text and diagrams covering but not limited to the following:
General #
- The hosting location (cloud provider/UCL).
- Roles catalogue for roles specific to the environment: this will normally be different types of “project user” as detailed in the Roles and Responsibilities document.
- Implementation and deployment methodology (e.g. Infrastructure as Code).
- Any key technology choices (e.g. virtualisation, orchestration, networking, operating system(s))
- The physical and logical boundaries of the environment to determine the scope of the information security controls that the environment will be subject to. The logical specification may also include a definition of the agents or entities within the environment.
- Standard data flows to, from and within the environment.
Control Specific Implementation #
There may be specific implementations of controls which are not covered in the sections above. Where there is further information required for the environment-specific implementation of a control it should be provided in this section.
A complete list of the controls which may need to be addressed can be found here (requires Login):