Courses

Master's Degrees

Your accelerated and flexible path to leadership in the age of AI.

Executive Education

Lead your organisation into the AI-powered future, with confidence.

Professional Courses

Future-proof your career in a rapidly changing world.

Master's Degrees

Executive Education

Professional Courses
Fees

Tuition Fees & Funding

Flexible financing options to invest in your future.

Scholarships

Financial aid programmes to unlock your potential.

International Students

Same fees for everyone: Fairness for a global community.

Tuition Fees & Funding

Scholarships

International Students
Research
About

Who We Are

Discover what puts LSI at the forefront of forging leaders for a tech-driven world.

Our Approach

Innovative education that blends traditional excellence with modern, future-focused strategies.

Join Us

Aspiring to play a key role in shaping the future of education? Join our journey.

Who We Are

Our Approach

Join Us

Information Technology (IT) Infrastructure Management Policy

Policy Statement

The School is committed to maintaining excellence in education and research through robust IT infrastructure management. This policy ensures the protection and continuous operation of IT systems, safeguarding assets and upholding data integrity, availability, and confidentiality. Our comprehensive risk management and IT Incident Response Plan align with industry best practices to effectively address and mitigate security incidents, protecting our academic community.

Principles

Governance: Effective IT governance ensures accountability, aligns with institutional objectives, and supports strategic decision-making processes.
Risk Management: Proactive identification, assessment, and mitigation of IT risks to prevent potential disruptions and data breaches.
Compliance: Adherence to legal, regulatory, and policy requirements is non-negotiable to uphold data protection and privacy standards.
Security: Implementation of comprehensive security measures to protect our digital assets from unauthorised access and cyber threats.
Resilience: Ensuring the School's IT systems are robust and can recover quickly from any incident to minimise impact on operations.
Training: Regular training programs enhance the staff and students' awareness and capabilities in identifying and responding to IT threats.
Response: Rapid and effective action in the event of an IT incident to limit damage, restore services, and protect student interests with minimal delay.
Communication: Clear and timely communication protocols for internal and external stakeholders during and after IT incidents.
Review: Continuous improvement through regular review of the IT infrastructure and response plans, incorporating lessons learned from incidents.
Collaboration: Fostering partnerships with external experts and industry leaders to stay at the forefront of IT infrastructure management and security best practices.

Regulatory Context

This Policy has been developed in line with the applicable laws, regulations, regulatory advice, and sector best practices, including the following:

Authority	Name	Url
UK Government	Data Protection Act 2018 Legislation aimed at controlling the processing of personal data, laying down principles with respect to the processing of personal data, and the rights of data subjects	Redirect
Office for Students (OfS)	Regulatory Notices and Advice Regulatory notices are additional information about OfS' regulatory requirements and are part of the regulatory framework. Regulatory advice helps providers understand and meet OfS requirements.	Redirect
Quality Assurance Agency (QAA)	The Quality Code This code represents a shared understanding of quality practice across the UK higher education sector, protecting public and student interests and championing the UK's reputation for quality.	Redirect
Quality Assurance Agency (QAA)	Advice - Learning and Teaching	Redirect
Information Commissioner's Office (ICO)	Guide for higher education institutions Provides guidance for higher education providers on their obligations under data protection law.	Redirect
JISC (Joint Information Systems Committee)	Digital Infrastructure Guidelines Guidelines for universities and colleges in the UK on how to manage their digital infrastructure.	Redirect

Authority

Name

Url

UK Government

Data Protection Act 2018
Legislation aimed at controlling the processing of personal data, laying down principles with respect to the processing of personal data, and the rights of data subjects

Redirect

Office for Students (OfS)

Regulatory Notices and Advice
Regulatory notices are additional information about OfS' regulatory requirements and are part of the regulatory framework. Regulatory advice helps providers understand and meet OfS requirements.

Redirect

Quality Assurance Agency (QAA)

The Quality Code
This code represents a shared understanding of quality practice across the UK higher education sector, protecting public and student interests and championing the UK's reputation for quality.

Redirect

Quality Assurance Agency (QAA)

Advice - Learning and Teaching

Redirect

Information Commissioner's Office (ICO)

Guide for higher education institutions
Provides guidance for higher education providers on their obligations under data protection law.

Redirect

JISC (Joint Information Systems Committee)

Digital Infrastructure Guidelines
Guidelines for universities and colleges in the UK on how to manage their digital infrastructure.

Redirect

Digital Infrastructure at the School

The School operates a defined set of authoritative systems-of-record in accordance with the Information Governance Policy:

The Student Management System (SMS) is the authoritative system-of-record for student identity, enrolment, engagement, progression and outcomes.
The Virtual Learning Environment (VLE) is the authoritative system-of-record for learning delivery content and learning activity evidence.
The Automated Governance System (AGS) is the governance and assurance system-of-record used to manage approvals, committee records, registers, issue logs, workflows, and governance evidence.

Supporting technologies may provide access, presentation, or workflow functionality, but authoritative records must be created, stored, and evidenced only within the designated systems-of-record. This approach ensures traceability, auditability, and defensible evidence for regulated submissions, operational decisions, and compliance obligations.

The School recognises the critical role of its digital infrastructure in delivering services. By integrating IT management into its operations, including a comprehensive Response Plan, the School ensures effective and preventative IT infrastructure management.

A. Oversight and Risk Mitigation

The Board of Governors retains ultimate accountability for the integrity, resilience, and security of the School’s digital infrastructure. The President is accountable for institutional assurance. Operational ownership of digital architecture, technical controls, resilience, and day-to-day infrastructure management sits with the Director of Technology in their role as Information Governance Lead and Senior Information Risk Owner (SIRO). Oversight and assurance are exercised through the Executive Committee and the Quality, Compliance and Audit Committee in line with the School’s Information Governance framework.

The Director of Technology’s oversight is crucial for safeguarding the School's digital infrastructure, ensuring it remains secure, functional, and resilient to disruptions. This comprehensive approach supports the effective and uninterrupted delivery of educational and administrative services.

The dedicated IT and AGS Team, operating under the Director of Technology, is responsible for:

Providing 24/7 support.
Routinely evaluating and checking the School’s systems for vulnerabilities.
Using automated monitoring systems to receive alerts for any incidents.
Maintaining secure, monitored, and tested backups for each system-of-record and critical service using School-approved and contracted infrastructure that meets the School’s security, retention, and resilience requirements, with restoration testing and evidence retained to demonstrate recovery capability in line with the Information Governance Policy and Data Protection Policy.
Managing system patches to ensure security and stability.
Implementing security practices such as firewalls, detection systems, and conducting penetration tests.
Training all staff and students in the use of School technology during their induction.

The IT and AGS Team reports to the Director of Technology, who then reports to the Executive Committee and submits a formal IT infrastructure management report to the Quality, Compliance, and Audit Committee.

The IT and AGS Team's comprehensive responsibilities ensure the School’s digital systems are secure, stable, and continuously monitored. Regular reporting to the Director of Technology, Executive Committee, and Quality, Compliance, and Audit Committee maintains transparency and accountability in IT infrastructure management.

IT infrastructure risks are managed as part of the School’s enterprise risk management and information governance framework. Risks relating to systems-of-record, infrastructure resilience, information security, and personal data processing are identified, recorded, and tracked within the School’s governed risk and assurance registers. The Director of Technology is responsible for identifying and assessing technical and operational risks, proposing mitigations, and reporting material risks and trends to the Executive Committee and the Quality, Compliance and Audit Committee. Where risks affect regulated submissions, personal data, or critical services, evidence of assessment, decisions, and mitigations is retained within the governance and assurance system-of-record. This approach ensures that infrastructure risk management is proportionate, documented, and aligned with institutional governance and regulatory expectations.

This rule ensures that IT infrastructure risks are systematically monitored and managed, reducing the likelihood of disruptions to the School’s operations. Regular reporting to the Executive Committee and Quality, Compliance, and Audit Committee ensures that risk management is integrated into overall governance and capacity planning.

The School maintains comprehensive IT Regulations, accessible on the School’s website. All staff and students receive induction on these regulations upon joining. The IT Regulations state:

Users must not compromise the integrity of the IT infrastructure by, for instance, deliberately or recklessly introducing malware or attempting to disrupt or bypass IT security measures.

Additionally, the Academic Governance System (AGS) Policy outlines appropriate use of the AGS. The Director of Technology oversees these policies, ensures their implementation, and reports on their effectiveness.

These regulations and policies ensure the secure and proper use of the School's IT infrastructure. By clearly defining acceptable behaviour and assigning responsibility to the Director of Technology, the School aims to prevent security breaches and maintain the integrity of its IT systems.

B. IT Incident Response Plan

The School’s IT Incident Response Plan is designed to address IT incidents effectively. The primary goal of the plan is to minimise disruptions to students' learning and ensure the continued delivery of the School's services.

This plan is crucial for swiftly managing IT incidents to minimise impact on educational activities and maintain operational continuity. By focusing on reducing disruptions, the School ensures that its services remain uninterrupted and students' learning experiences are protected.

Security incidents, service disruptions, and personal data breaches affecting IT infrastructure must be managed through the School’s governed incident and breach management processes as defined in the Information Governance Policy and Data Protection Policy. All incidents must be logged immediately through the approved service desk or governance system to ensure central recording, triage, and evidence retention. The Director of Technology coordinates technical containment and recovery. The Internal Data Protection Lead coordinates privacy assessment and statutory obligations where personal data is involved. Material incidents are escalated promptly to the President and reported through the Executive Committee and the Quality, Compliance and Audit Committee, with Board oversight where required under the Scheme of Delegation.

This process ensures that the IT Incident Response Plan is managed effectively with clear communication and decision-making. The President’s involvement in authorising the response ensures that appropriate actions are taken based on the incident's severity, while the CTO's role in convening the Response Committee ensures that expertise is mobilised efficiently.

The Director of Technology, as the chair, must collaborate with designated School teams to form the Response Committee. The response structure will operate proportionately to the severity and impact of the incident. Coordination meetings will occur at an appropriate frequency to manage containment, recovery, and communication. Status updates, decisions, and actions will be documented within the governance and assurance system-of-record, with formal reporting provided through the Executive Committee and the Quality, Compliance and Audit Committee and escalated to the Board of Governors where required. The President will then formally declare the incident closed.

This rule ensures that the Response Committee, led by the Director of Technology, maintains consistent communication and oversight during an incident. Daily meetings allow for timely updates and coordinated efforts, while formal notifications to the governing bodies ensure all stakeholders are informed of the resolution and closure of the incident.

Director of Technology: The Director of Technology chairs the Response Committee.
IT and AGS Team: Upon incident occurrence, the IT and AGS Team must assign at least one member to handle the incident exclusively. This member will investigate, contain the incident, oversee resolution, and report to the Director of Technology. They will also act as the secretary, maintaining minutes and tracking actions.
Marketing Team: The Marketing Team must designate at least one member to manage communications while the system is down. They will use backup systems to email and text stakeholders and students. The Marketing Team will manage stakeholder communications in line with the School’s incident communication plan, providing timely, accurate, and proportionate updates based on the nature and impact of the incident. Communications must be coordinated with the Director of Technology and President to ensure accuracy, safeguarding considerations, and regulatory compliance. Records of communications must be retained within the governance and assurance system-of-record. The Marketing Team will provide contact details for students to direct all queries through them and maintain a record of all communications.
Director of Education (DoE): The DoE ensures minimal disruption to learning and teaching. The School maintains regular backups of the AGS, VLE, and course content on diverse servers, including cloud platforms. If a server fails, the School can switch to alternative servers. In cases of software or platform issues, physical and electronic copies of materials are kept updated for continuity. The School will use Google Classroom, Microsoft Teams, physical classrooms, video conferencing, its website, email, and post for ongoing education. Assessment Regulations may be adjusted during emergencies to maintain flexibility. The DoE will create and provide protocols to the Director of Technology covering communication, timetables, staffing, content, delivery, assessments, and collaboration with external examiners and regulatory bodies. Daily updates will be provided to students through marketing messages and the DoE will coordinate with lecturers to ensure consistent information.
Student Success Team: The Student Success Team must assign at least one member to support student wellbeing during system outages. Contact information for the team will be provided to students. The team will implement a plan to maintain student support throughout the incident and is an essential part of the Response Committee.
Resources Team: The Resources Team must assign at least one member to help coordinate necessary resources during outages.
Student Experience Committee: The Committee must assign at least one student member to represent student interests.

This rule outlines clear responsibilities for each team involved in incident management, ensuring effective and coordinated responses. By defining roles, communication channels, and protocols, the School aims to minimise disruption, maintain continuity in learning, and ensure comprehensive support for students during IT incidents.

The Director of Technology is required to meet with the Heads of IT, Marketing, Wellbeing, and the Director of Education (DoE) at least twice each academic year to review and update the Response Plan. During these meetings, specific actions needed to keep the plan current will be assigned, and progress must be reported to the Director of Technology. Regular testing of the plan will also be conducted. The Director of Technology is operationally responsible for maintaining and testing the Response Plan. Ultimate accountability for the effectiveness of incident response arrangements rests with the Board of Governors, with institutional assurance provided by the President and oversight through the Executive Committee and the Quality, Compliance and Audit Committee. It is also the responsibility of all committee members to ensure their teams are trained on the plan.

This approach ensures that the Response Plan remains up-to-date and effective through regular reviews, assigned actions, and testing. Regular reporting to senior committees guarantees oversight and accountability, while team training prepares staff to effectively execute the plan when needed.

Following each material incident, a documented post-incident review must be completed to identify root causes, control weaknesses, lessons learned, and improvement actions. The review must include evidence of timelines, decisions, communications, and recovery actions and must be stored within the governance and assurance system-of-record. Findings and recommended improvements are reported through the Executive Committee and the Quality, Compliance and Audit Committee, with Board oversight where appropriate. Actions are tracked to completion to support continuous improvement and demonstrable resilience.

This procedure ensures that each incident is thoroughly reviewed to identify system weaknesses and failures. The resulting report provides valuable insights for refining the Response Plan, promoting continuous improvement and strengthening the School’s resilience against future incidents.

Incidents Short of the IT Incident Response Plan

Where an incident does not require full escalation, proportionate response actions may be taken under the School’s governed incident management process. The Director of Technology may coordinate technical and operational actions, with oversight from the President. All such incidents must still be logged, assessed, and evidenced within the governance system to ensure transparency, accountability, and auditability, with escalation applied where impact or risk increases.

This rule allows for a flexible response to incidents that do not require a full-scale activation, ensuring efficient use of resources and prompt action to maintain service continuity. Direct reporting to the President ensures clear communication and oversight during such situations.

The following metrics will be measured and regularly reviewed as key performance indicators for the School to ensure the effectiveness of this policy and associated operations.

Disaster Recovery Plan Testing

Test the disaster recovery plan biannually, ensuring that recovery objectives are met in at least 95% of tests.
Regular testing ensures that the disaster recovery plan is effective and that recovery procedures are well-understood.

Incident Response Time

Track the average time from incident detection to initial response, targeting under 30 minutes.
Rapid response to incidents minimises potential disruption and mitigates impact on the academic community.

Security Vulnerability Resolution Time

Measure the average time taken to address and resolve security vulnerabilities, aiming for resolution within 48 hours.
Timely resolution of vulnerabilities reduces the risk of exploitation and maintains system security.

System Uptime

Measure the percentage of time IT systems are operational and available to users each month, aiming for 99.9% uptime.
High system uptime ensures continuous operation of IT services, essential for maintaining academic and administrative functions.