Information Security Guidelines
1. Keeping Personal Information Secure
All personal data must be stored in a secure environment with controlled access – the level of security applied to the information will depend on the nature of the information and should be applied following a risk assessment which should establish the potential risk of unauthorised access and / or theft.
[a] Paper records
Appropriate storage for paper / manual records would include:
- Locked metal cabinets with keys limited to authorised staff only;
- Locked drawer in a desk (or other storage area) with keys limited to authorised staff only;
- Locked room accessed by key or coded lock where access to the key/code is limited to authorised staff only;
[b] Electronic records and Database Systems
Good practice guidelines for electronic records would include:
- Never disclose your password(s) – you will never be asked to disclose your password, and never reply to any email requesting you disclose you password – if in doubt check with IT Services;
- Ensure your password is robust – not a real word or name, a mixture of letters, number, capitals, and lower case – change it regularly and refer to the ITS website for guidance
- Always log off, or lock a workstation before leaving it;
- When confidential work is being carried out ensure no one else can read the screen;
- Protect equipment from physical theft, this is vitally important for portable equipment such as laptops and memory sticks;
- Store all records on the University network (M or U drive) – this ensures data is backed up by IT Services, and mitigates the risk of information loss/disclosure due to sharing a computer or computer theft. Where it is not possible, ensure that all important data is backed up regularly and backups are kept in a separate secure location. Liaise with IT Services if you require assistance.
- Ensure your level of access to database systems containing personal information (e.g. student system, finance system, HR system) is relevant to your job role and responsibilities. If your job/responsibilities change, notify the data owners of each system to ensure your access is appropriate.
- Particular care is required when forwarding emails, in particular ones with attachments so that information is only sent to people with a real ‘need to know’. Before forwarding attachments at all you should check that the information is not available to them by other secure means.
[c] Using IT Resources securely away from the University
[i] When using a PC or a MAC and working away from the University, you should be aware that information could be stored on that device in two key ways:
- you decide to store a file on the device, or
- through a process such as reading an email attachment, information is inadvertently left on the device unbeknown to you.
[ii] The secure method of working away from the University with due regard for Information Security (e.g. on a University laptop or non-University laptop/computer) is to use the University’s Desktop Anywhere service. This method ensures all information stays on the University IT infrastructure, as is not stored on the device used. Having logged in, use the “Ïã¸ÛÁùºÏ²Ê¹ÒÅÆ×ÊÁÏ Staff Desktop” menu icon to experience working as if you were using PC at the University. Your email and files on your M, N and U drives can be accessed securely and a full range of software is available. This is available to both PC and MAC users, but gives a PC experience.
[iii] During 2011, whilst the University rolls out its programme to encrypt all University owned laptops staff should ensure that no confidential, sensitive or personal data is stored on laptops and that the Desktop Anywhere service is used at all times to ensure compliance with this Policy. Encryption ensures that all information stored intentionally or unintentionally on the device is secure.
[iv] A review of secure working options for MAC users is being undertaken to ensure a more MAC like user experience than DesktopAnywhere. In the meantime, MAC users should contact IT Services to set-up encryption of the user space for any MACs being used off-site. This should be done with IT Services to ensure that information on the MAC is still available should the user forget their user password or leave the University.
[v] Encrypted USB sticks (suitable for both PC and MAC users) have been tested by IT Services. If you are unable to log on using method [ii] above then confidential, sensitive or personal information, must be stored on an encrypted USB stick. This method does not protect against information being left inadvertently on a device through reading email (as described in ii above). Further information on the supported encrypted USB stick, and where to purchase it from, is available from the IT Support Centre .
[d] Cloud Computing
The use of cloud computing is increasing and its use is of benefit to members of staff working collaboratively or off site. However, uploading information into cloud space may not be appropriate for all uses particularly where security of data and / or personal data are involved. Members of staff must ensure that their use of cloud services has been appropriately risk assessed with due consideration given to both the legal and reputational risks to the University.
In particular members of staff should ensure that the requirements of the Data Protection Act are maintained for any personal data which may be held within a cloud computing environment. The following issues, in particular, would need to be considered if staff chose to hold personal data in a cloud computing environment:
- That technical and organisational measures must be in place to ensure that there is no unauthorised or unlawful processing of personal data as well as ensuring that personal data is not lost, damaged or destroyed
- That transfer of data outside the European Economic Area by uploading into cloud space could be a breach of principle 8 of the Act and due consideration must be given to ensuring that appropriate contract terms are in place with the cloud provider
- That the probability of the occurrence of serious data loss may not be very high but should a loss occur the impact on the institution is likely to be significant.
Further guidance on the use of cloud space can be obtained from IT Services.
[e] Mobile Devices
Individual members of staff have responsibility for managing and protecting their mobile device (for example a Blackberry/Smartphone) and the data contained on it. Staff should ensure that no confidential information, information which may cause reputational damage to the University or lead to litigation and / or sensitive personal data is stored on these devices.
There are simple steps you should take to protect your mobile device and the data that is on it.
Setup a security password or PIN number on your mobile device. When the device is not used for a period of time, it will lock and need the security code to be used again, adding protection if the device is mislaid or stolen.
Make regular back-ups of any data that is on your device, such as documents, images, etc. If you synchronise your email, calendar and contacts with your University account, you do not need to back-up this data as it is stored centrally at the University and only a view of this data is on your device. However, if you have documents, images, or additional data aside from your University account, you should regularly copy these files to your PC, ideally a folder on your M drive, to make sure you have backup copies should your device fail or be lost.
2. Access to Personal Data
Heads of College and Heads / Directors of Central Service Departments should ensure they are aware of those staff members within their sphere of responsibilities who, by the nature of their post, have been identified as requiring legitimate access to personal data in the course of their employment.
The designated purposes for which access to the personal data will be permitted must also be defined. For some Colleges and Departments this will be clear by the nature of their function e.g. Human Resources. However in other cases these purposes will need to be specifically outlined.
As noted in the University’s Data Protection Policy staff members must ensure that:
- All personal information entrusted to them in the course of their employment is kept securely;
- No personal information is disclosed either verbally or in writing, accidentally or otherwise to any unauthorised third party.
- Any infringement of the Act will be treated seriously by the University and may be considered under disciplinary proceedings
- Where a file containing personal data is removed from the secure filing for a legitimate reason by an authorised member of staff a strict signing out and signing in procedure should be in force.
- Staff should ensure that personal information is only photocopied where this is strictly necessary and should ensure that the copy and the original are subject to the same security protocols.
- Unless absolutely essential, and authorised by the relevant Head of College or Department, staff should not take personal data outside the University – in either manual or electronic form. Where it is essential for this to happen appropriate security precautions must be taken to guard against theft or unauthorised access to those data (see Section 1 above).
- Where secure off-site access to electronic information and databases is required, the University’s Desktop Anywhere service should be used. This ensures that information is not physically transferred outside the University and the exchange of information is over an encrypted link. To use the service a Ïã¸ÛÁùºÏ²Ê¹ÒÅÆ×ÊÁÏ username and password is required.
- Off-site access to email should be configured in accordance with ITS advice to ensure secure transmission
3. Transfer of Personal Data / Sensitive Personal Data
[a] Before transferring or disclosing personal data outside the University staff must familiarise themselves with the requirements of the University’s Data Protection Policy. Particular care should be taken when forwarding any attachments via email (see point 1 [b] above).
[b] Staff must ensure that the appropriate security precautions are in place (such as encryption) to minimise the risk of losing the data and / or accidental disclosure of the data.
[c] All postal communications containing personal data must be marked strictly private and confidential and must be addressed to a named individual.
[d] All physical devices such as USB memory sticks, CDs or DVDs containing personal data must always be encrypted before being sent.
[e] For both external and internal mail containing personal data the most appropriate and secure method of sending the information must be considered. For external mail use of the Royal Mail “Signed For” service or a courier should always be considered. Further advice should be sought from the University Post room.
[f] Sensitive personal data must not be emailed externally under any circumstances unless encrypted (contact IT Services for further guidance on availability of email encryption).
[g] Manual personal data must always be sent by Royal Mail “Signed For” service or a Courier service.
[h] No personal data should be sent by fax, except in cases of absolute necessity where no other means of communicating the information in time is available. Where this is required a ring-ahead process must be used to ascertain that the receiving machine is being monitored, and after sending receipt should be verified as soon as possible. No faxes should be sent using automated dialling / stored numbers as the possibility of error is increased.
[i] Where possible wireless network connections should make use of secured services. In the University the preferred secure service is called eduroam (which will also work in many other Universities in the UK and abroad). The IT Services web site has information on connecting to the service. Assistance is also available via the IT Support Centre (X8111).
At home your wireless broadband connection should be set to a secure connection method called WPA2 (or WPA if WPA2 is not available). Your internet service provider (ISP) can provide assistance.
In other public areas a secured service may not be available. In this case you should be aware that any data sent or received via normal web pages could be intercepted. Sensitive data on a unsecured network should only be sent using secured web pages (the address of these begins https:// - the ‘s’ indicating secure).
[j] Many web forms will ask you if you wish to save a password you have provided. In all cases choose the option – “never for this web site”. This will help prevent any unauthorised access to any secured web pages.
4. Further Information
Further information or guidance on any aspect of these Guidelines can be obtained from the Compliance Unit or IT Services.