Summary Electronic Information Security Policy

(1)

Electronic Information Security Policy Summary Version 04/10/2015

Summary Electronic Information Security Policy

Date of Issue 24 December 2015

(2)

University of Chichester Summary Electronic Information Security Policy 2015

(3)

Support and Information Zone (SIZ)  01243 816222 [email protected]

1 Introduction and core principles

Most of the University’s activities generate data in one form or another. Information is an important business asset and as such, we all have a responsibility to safeguard its confidentiality, integrity and availability. This policy supports existing policies for information security and data protection by providing additional requirements for storing University data.

! It is always the data owner’s direct responsibility to ensure their data is safeguarded.

1.1 Purpose

The purpose of this policy is to help owners of University data to choose an appropriate storage method that ensures it is protected and managed in accordance with the statutory responsibilities and business requirements of the University.

1.2 Summary Categories of University Data

Data that has value to the University of Chichester must be protected during day-to-day on-campus activities, when working off-campus and when using personal devices. Not all University data has the same level of sensitivity and/or confidentiality and so categorising this data can help data owners better understand the steps needed to protect it from unauthorised access or being lost, stolen or intercepted. The following data categories are helpful for identifying the sensitivity of University data:

Category A - Public

Any data that can appropriately be viewed by anyone, anywhere e.g. press releases, course information, publications, released research data, conference papers etc.

Category B - Private

Any data where access requires it to be limited to specified members of the University of Chichester on a need to know basis e.g. reports, guidance, collaborative documents, draft documents, teaching materials etc.

Category C - Confidential

Any data which identifies an individual, either on its own or by reference to other information. It can include expressions of opinion about an individual. As defined by the Data Protection Act (1998). Any personal data consisting of information as to an individual’s: -

 racial or ethnic origin.

 political opinions.

 religious beliefs or other beliefs of a similar nature.

 trade union membership.

 physical or mental health or condition.

 sexual life.

 proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceeding.

The University of Chichester’s research activity will produce data that could be categorised as public, private or confidential

(6)

University of Chichester Electronic Information Security Policy 2015

2 Types of Storage

Although the University supports a range of storage media, we recommend using network storage wherever possible. Storing University data on the network may not be immediately practical, e.g. when working off campus, however; data users are ultimately responsible for choosing the safest storage option based on legal requirements under the Data Protection Act and their business needs regarding accessibility of information. A summary of the do’s and don’ts of storage for each categorisation of University data is provided in Appendix A.

2.1 Network Storage

Home drives

All students and staff have access to network storage known as their home drive or H: drive. This is secure network storage for personal University data attached to their network account, which can be securely accessed from any computer or device connected to the Internet.

Shared drives

Departments may also have additional network storage called shared drives or S: drive. This network storage is linked to groups of network accounts enabling users to collaborate and share files within their department or group.

! Advantages of using Network Storage

•

Files are protected by University information security systems1

•

Files are routinely backed up for business continuity purposes as well as enabling the recovery of data that is accidentally deleted.

•

Files that are saved in one location can be accessed from a number of internet connected devices both on and off campus. This reduces the need for storing multiple copies and increasing the risk of data being inaccurate, lost or stolen.

! Network storage can safely be used for all categories of University data.

2.2 Portable Devices

University Issued Devices

Portable devices (such as laptops, tablets and smartphones) may be issued/loaned to members of the University to allow them to access University resources on the move. Security measures will be taken (such as encryption, user authentication and anti-virus software) to help safeguard University data that is accessed through these devices Personal Devices

The University also permits students and staff to access some resources through their personal devices and access is controlled through user authentication. Users also have a responsibility to ensure their devices are protected, e.g. with a passwords, encryption and anti-virus software, even when only accessing public data

!

If you are unsure about how to manage data on a University issued or on your own device

please contact the Support and Information Zone (SIZ)

1_{(firewalls, antivirus, encryption and secure authentication).}

H:

(7)

2.3 Portable Storage

University Issued Storage Media

Portable storage media (CDs/DVDs, USB drives and external hard drives) may be issued/loaned to members of the University for use both on and off campus. Security measures will be taken (such as encryption software) where possible to help safeguard the data stored on this type of media.

Personal Storage Media

The University does not currently restrict the use of personal storage media; however, their use for private and confidential University data is not permitted.

Mobile Telephones

Mobile phones cannot be backed-up and recovered from. Mobile phones have very little security, and must not be used to store private and confidential data

! Considerations when using Portable Devices and/or Storage Media

•

Files stored only on portable devices and/or storage media have no provision for backup or recovery if they become lost, stolen or corrupted.

•

There is a significant risk of reputational damage and/or litigation for the university and the data owner if data is stored inappropriately on portable devices.

! Portable devices and storage media must only be used for the temporary storage of any category of data. The data must be removed and transferred to network storage at the earliest opportunity.

•

If it cannot be avoided, any private and confidential data that has to be copied to University issued devices or storage media, these devices and media must be encrypted2_.

•

Personal devices/storage media, including personal email accounts must not be used to store private and confidential data.

2.4 Cloud Storage

University Preferred Cloud Storage – OneDrive for Business

All staff and students have access to the University preferred cloud storage system – OneDrive for Business - through Office365. This service offers online storage space for public data that can be accessed from many locations and devices (e.g. tablets, smartphones etc.). The University’s contractual agreement with Microsoft provides for acceptable levels of data availability and security. Its use for private and confidential

University data is currently not permitted. Other Public Cloud Storage

Other commercial cloud providers, such as Dropbox, iCloud, Google etc. also offer public online storage. However, the service levels offered by these providers are beyond the control of the University and their use for University data is not permitted.

! Considerations when using Cloud storage

2_{All University laptops are encrypted when they are signed out, anything copied from a University machine to}

(8)

University of Chichester Electronic Information Security Policy 2015

Support and Information Zone (SIZ)  01243 816222 [email protected] 4  Microsoft’s OneDrive for Business is protected by industry standard security systems and deleted files are stored in your recycle bin for a short period, currently 90 days. However, there is no guarantee that lost data can be retrieved if it is accidentally deleted.

 University cloud storage must only be used as temporary storage and data should always be transferred on to network storage.

 Private and confidential data must not be uploaded to any cloud storage service

 Synchronisation of data using cloud services onto non University devices must be turned off for all categories of data.

2.5 Email

University email

Staff and students have University email accounts. Much of the University’s day-to-day activities are undertaken using email, e.g. documents, business decisions, and requests for service/information. Any private or confidential data acquired or sent via email should be removed to network storage as soon as possible.

Personal email

Many staff and students also have personal email through providers such as Gmail and Yahoo. The University permits users to access their personal email accounts on campus; however their use for private and for confidential data is not permitted.

Email on mobile telephones

Mobile phones have very little security. Whether university issued or personally owned, only password protected web-email can be used. Email passwords should not be set to be ‘remembered’ by the device, and email should not be set to download to the device.

! Considerations when using email

 Email is not a completely secure communication tool and there is significant risk that essential business records may be lost during unplanned system outages.

 University email should only be used for temporary storage of data. Email attachments, and any email text containing private or confidential data should always be removed and transferred to network storage3_.

 Personal email must not be used to transmit or store private and confidential data.

 Mobile phones should only use password protected web-based email. You should not use an email service that downloads email to the device.

 Any email, and especially for mobile telephones, should be password protected, and the device should not be allowed to remember the password.

! If you are unsure about how to categorise your data and where you can store your data please contact the Support and Information Zone (SIZ)

3_{Chichester University email to Chichester University email automatically uses encryption, and hence can be}

(9)

Support and Information Zone (SIZ)



01243 816222



[email protected] 5

Appendix A: Summary of Best Practice for the Transmission/Storage of data.

A

Public

         

B

Private

 

























C

Confidential

 





Approved storage method



Approved storage method only if encrypted, and only temporarily until the data can be relocated to network storage

(10)

University of Chichester Summary Electronic Information Security Policy 2015



01243 816222



[email protected] 6

Appendix B: Summary of personal responsibilities

The design of computer systems in which information is created and stored is aimed to be as usable as possible, whilst taking into account the best practices involved in avoiding loss or exposure of information.

! IT safeguards can only go so far, and it is how people use the IT that presents the larger risk

Minimising risks involves actions and awareness including the requirement to apply the University’s policies, abide by the relevant legal requirements, use only authorised accounts with a secret password, make sure you can’t be over-looked, or that your equipment cannot be used to access information by someone else. You must inform SIZ immediately if you believe your password to have been compromised, or if any device used to access or store University information (whether owned by the University or by you) is lost or stolen.

! The use of any authorised account at the University explicitly binds the user (for example; Staff, Student, Partners and Visitors) to abide by this Electronic Information Security Policy.

2.6 The University’s code of conduct

In order to use the University’s infrastructure and systems, you are required to adopt the following:

a) You must inform the University if you believe there may be, or know of any risk of information loss, or unauthorised access to information.

b) All users are required to report any misuse of IT systems, any infringement of this policy and any issue that may endanger full compliance with relevant legislation, particularly the Data Protection Act (1998). c) Users should not intentionally cause damage or otherwise jeopardise the integrity of computer

equipment, software or network services.

d) Users must not knowingly introduce computer viruses to the computer systems, and should take all precautions to prevent their spread.

e) Users must abide by all agreements and contracts by which software and any associated information are accessed at or through University computing services. Specifically, users must not install, replace or update any software or information on University computing equipment without appropriate authority. f) Users must not alter or install unauthorised software onto University computing equipment without

appropriate authority.

g) Users must not take University IT equipment off-site, without the appropriate authority to do so. h) Users must not use any University computing services to gain unauthorised access to any other

computing system (internal or external).

i) Users must not use University computing services for storing, receiving or transmitting offensive, indecent or obscene material. If there is a genuine academic need to use such material, this should be approved by the Head of Academic Department in advance and arrangements for their access then made with IT Services.

j) Users must not use any University computing equipment or service to undertake or support any activity that might be considered illegal, inflammatory or threatening. This includes any form of on-line bullying, political, religious or cultural radicalism, or any unauthorised access to any other person or organisation’s computer systems or data.

k) Users must not use University computing services for any commercial activity without appropriate authority from IT Services or Head of Department.

l) Users are not permitted to use the computing services for private commercial purposes or any other employment outside the scope of that person’s official duties or functions.

m) IT Disposal – users must return any University owned IT equipment to IT Services for secure disposal that meets our legal requirements.

(11)



01243 816222



[email protected] 7



Personal consequences of infringement

This summary policy is a guide and not an exhaustive list of what you should or should not do, and you should satisfy yourself of the best practices and the principles of law. Any suspected failure to apply reasonable care, and any suspected infringement of the policy or any related legal requirements may result in the user’s access being summarily withdrawn pending appropriate investigation, and

 action under the Disciplinary Policy and Procedure (for staff)  action under the Academic Regulations (for students).

Summary Electronic Information Security Policy