I am writing to you to make you aware of the University’s new Information Security Policy, and the associated Information Classification and Handling Table.
All staff should engage with the Information Security Policy and the requirements of the Information Classification and Handling Table as compliance is mandatory and any breaches of the policy may lead to action being taken under the Staff Disciplinary Procedures.
The Information Security Policy sets out expectations of staff in relation to User Accounts, Mobile Computing, Encryption, Software and Network Management.
The Information Classification and Handling Table breaks down all information and data into three specific categories – ‘Highly Sensitive’, ‘Personal/Confidential’, ‘Non-Sensitive/Open’ and explains staff should store and share each category of information.
We recognise that for some staff the requirements of the policy and associated table will mean a significant change in work practice and behaviour. Therefore, the Vice Chancellor’s Advisory Group has agreed that staff have until the 1st November 2017 to become fully compliant with the policy.
Below are some simple Do’s and Don’ts of Information Security which all staff should follow.
|Seek advice from the IT Service Desk if you are unsure about any aspect of Information Security.||DON’T disclose your account password to anyone either verbally or via email. That includes members of IT.|
|Change your password if you have any suspicion that it may have been compromised.||DON’T use your University password as the password for any other service.|
|Report any loss or suspected loss of data to the IT Service Desk.||DON’T undermine or seek to undermine the security of computer systems.|
|Ensure that equipment that has been used to store sensitive University data is disposed of correctly.||DON’T make copies of restricted University information without permission.|
|Encrypt mobile devices which you use for University business including personal devices. Advice is available from the IT Service Desk||DON’T provide access to University information or systems to those who are not entitled to access.|
|When sharing sensitive information with others always follow the advice in the Information Handling Guidelines.||DON’T leave your computer unlocked when unattended.|
|Password protect your personally owned devices.||DON’T use a personal email account for conducting University business.|
|Keep all of the software on your personally owned devices up to date.||DON’T connect personally owned storage or mobile devices to University owned devices|
|Be aware of the risks of using open (unsecured) Wi-Fi hotspots or public computers in libraries, airports, etc||DON’T send, forward or open unauthorised bulk (spam) email.|
|Assume that Information Security is relevant to you.||DON’T leave paper-based records in plain sight where they can be viewed by unauthorised people|
|Ensure that paper-based information is securely locked away when you are away from your desk.||DO NOT leave hard copies of confidential information unattended or unsecured.|
Over the summer, the IT team will be working with departments across the University to enable staff to access and use the IT provisions we already have.
Mandatory training for all staff on Information Security and Data Protection will be rolled out across the University in 2017/18.
Any staff with specific IT queries or needs should contact the IT Service Desk. Some specific advice and guidance is available via the IT webpages or the IT Service Desk:
Cloud Storage – the University’s approved solution is One Drive for Business. Using cloud storage will significantly increase your storage capacity and allow you to access your files and documents securely when away from the University and reduce the need for USB sticks, which are vulnerable to loss or being misplaced.
Secure Storage of Data – if you are working away from the University or are sharing data in the ‘High Sensitive’ or ‘Personal/Confidential’ categories you should ensure that the information is secure.
Protect your emails and documents using Rights Management Services (RMS) – RMS allows you to apply access permissions and expiry dates to your documents and emails. It is intended to be used when working with ‘Highly/Sensitive’ and ‘Personal/Confidential’ classed data.
We will continue to develop technology, support and training relating to Information Security and will keep staff updated on a regular basis via all user emails, briefing notes to Heads and via the new Information Assurance webpage