Abertay Data Storage Policy

Transcription

1 Abertay Data Storage Policy Author Louise Cardno, Business Analyst Reviewer Frazer Greig, ICT Operations Manager Approved by Michael Turpie, Head of Information Services Approval date(s) 03-Jun-2015 Review date 02-Jun-2016 Version 1.3

2 Contents 1. Introduction Purpose Categories of Abertay Data Types of Storage Network Storage Portable Devices Portable Storage Media Cloud Storage Additional Guidance/Support... 7 Appendix A: Best Practice for the Transmission/Storage of Abertay data

3 1. Introduction Most of Abertay s activities generate data in one form or another. Information is an important business asset and as such, we all have a responsibility to safeguard its confidentiality, integrity and availability. This policy supports existing policies for information security and data protection by providing additional requirements for storing Abertay data. 2. Purpose The purpose of this policy is to help owners of University data to choose an appropriate storage method that ensures it is protected and managed in accordance with the statutory responsibilities and business requirements of the University. 3. Categories of Abertay Data Data that has value to Abertay must be protected during day-to-day on-campus activities, when working off-campus and when using personal devices. Not all Abertay data has the same level of sensitivity and/or confidentiality and so categorising this data can help data owners better understand the steps needed to protect it from unauthorised access or being lost, stolen or intercepted. It is always the data owner s direct responsibility to ensure their data is safeguarded. The following data categories are helpful for identifying the sensitivity of Abertay data: - Category A - Public Any data that can appropriately be viewed by anyone, anywhere e.g. press releases, course information, publications, released research data, conference papers etc. Category B - Private Any data where access requires to be limited to specified members of Abertay on a need to know basis e.g. reports, guidance, collaborative documents, draft documents, teaching materials etc. Category C - Confidential Any data which identifies an individual, either on its own or by reference to other information. It can include expressions of opinion about an individual. As defined by the Data Protection Act (1998). Any personal data consisting of information as to an individual s: - racial or ethnic origin. political opinions. religious beliefs or other beliefs of a similar nature. trade union membership. physical or mental health or condition. sexual life. 2

4 commission or alleged commission of any offence. proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceeding. Abertay Research Data Abertay s research activity will produce data that could be categorised as public, private or confidential. These assets are subject to additional controls and guidelines referred to in the Management of Research Data Policy and Guidelines (2013). If you are unsure about how to categorise your data and where you can store your data please contact the University Secretariat 3

5 4. Types of Storage Abertay supports a number of different types of storage media, but mandates the use of network storage wherever possible. It is understood that storing Abertay data on the network may not be immediately practical, e.g. when working off campus and access is not available. However, data owners are ultimately responsible for choosing the safest storage option based on legal requirements under the Data Protection Act and their business needs regarding accessibility of information. A useful summary of the do s and don ts of storage for each categorisation of Abertay data is provided in Appendix A Network Storage M: V: Home drives All students and staff have access to network storage known as their home drive or M: drive. This is secure network storage for personal Abertay data attached to their network account, which can be securely accessed from any computer or device connected to the Internet. Shared drives Departments may also have additional network storage called shared drives or V: drive. This network storage is linked to groups of network accounts enabling users to collaborate and share files within their department or group. Advantages of using Network Storage Files are protected by University information security systems (firewall, antivirus, encryption and secure authentication). Files are routinely backed up for business continuity purposes as well as enabling the recovery of data that is accidentally deleted. Files that are saved in one location can be accessed from a number of internetconnected devices both on and off campus. This reduces the need for storing multiple copies and increasing the risk of data being inaccurate, lost or stolen. Network storage can safely be used for all categories of Abertay data. Limited personal use of Abertay systems is permitted and this also applies to storage of non Abertay data which must not exceed a reasonable amount. Shared storage areas must only be used for Abertay data that needs to be shared with colleagues in your department or across Abertay. Network storage is the only method to permanently store all categories of Abertay data. 4

6 4.2. Portable Devices Abertay Issued Devices Portable devices (such as laptops, tablets and smartphones) may be issued/loaned to members of the University to allow them to access Abertay resources on the move. Security measures will be taken (such as encryption, user authentication and anti-virus software) to help safeguard Abertay data that is accessed through these devices. Personal Devices Abertay also permits students and staff to access some resources through their own personal devices and access is controlled through user authentication. Users also have a responsibility to ensure their devices are protected, e.g. with a firewall, encryption and anti-virus software when accessing Category A Abertay data. Guidance on securing and protecting personal devices may be sought from the IS Service Desk Portable Storage Media Abertay Issued Storage Media Portable storage media (CDs/DVDs, USB drives and external hard drives) may be issued/loaned to members of the University for use both on and off campus. Security measures will be taken (such as encryption software) where possible to help safeguard the data stored on this type of media. Personal Storage Media The University does not currently restrict the use of personal storage media; however, their use for anything other than temporary storage of Category A Abertay data is not permitted. Users have a responsibility to ensure their media is protected, e.g. with encryption software to be safe. Guidance on securing personal storage media may be sought from the IS Service Desk. Considerations when using Portable Devices and/or Storage Media Files stored only on portable devices and/or storage media have no provision for backup or recovery if they become lost, stolen or corrupted. There is a significant risk of reputational damage and/or litigation for Abertay and the data owner if data is stored inappropriately on portable devices. Portable devices and storage media must only be used for the temporary storage of any category of data. The data must be removed and transferred to network storage at the earliest opportunity. If Category B & C Abertay data needs to be copied to Abertay issued devices or storage media it must be encrypted. Personal devices/storage media must not be used to store Category B & C Abertay data. 5

7 4.4. Cloud Storage Abertay Preferred Cloud Storage OneDrive for Business All staff and students have access to the University preferred cloud storage system OneDrive for Business - through Office365. This service offers online storage space for Category A data that can be accessed from many locations and devices (e.g. tablets, smartphones etc.). The University s contractual agreement with Microsoft provides for acceptable levels of data availability and security. Its use for Category B & C Abertay data is currently not permitted. Other Public Cloud Storage Other commercial cloud providers, such as Dropbox, icloud, Google etc. also offer public online storage. However, the service levels offered by these providers are subject to change outwith the control of the University and their use for Abertay data is not permitted. Further guidance will be made available for users to transfer data from other public cloud storage providers to OneDrive for Business. Considerations when using Cloud storage Microsoft s OneDrive for Business is protected by industry standard security systems and deleted files are stored in your recycle bin for a short period, currently 90 days. However, there is no guarantee that lost data can be retrieved if accidentally deleted. Abertay cloud storage must only be used as temporary storage and data should always be transferred onto network storage. Category B&C Abertay data must not be uploaded to any cloud storage service (Abertay or Public). Synchronisation of data using cloud services onto non Abertay devices must be turned off for all categories of data Abertay All staff and students have access to an Abertay account. Much of the University s day-to-day activities are recorded in messages, e.g. documents, business decisions, and requests for service/information. Guidance on managing s can be sought from the IS Service Desk. Personal Many staff and students also have access to personal through providers such as Gmail and Yahoo. Abertay permits users to access their personal accounts on campus; however their use for Category B&C Abertay data is not permitted. 6

8 Considerations when using is not a completely secure communication tool and there is significant risk that essential business records may be lost during unplanned system outages. Abertay should only be used for temporary storage of Abertay data. attachments that are to be kept should always be removed and transferred to network storage. Personal must not be used to transmit Category B & C Abertay data. Category C Abertay data must never be transmitted by University unless encrypted and from University issued devices. 5. Additional Guidance/Support Any enquiries or requests for further support in relation to Abertay data storage or transmission may be directed to IS Service Desk. 7

9 Appendix A: Best Practice for the Transmission/Storage of Abertay data. Network Portable Device STORAGE METHOD Portable Storage Media Category Home M: Shared V: Abertay Personal Abertay Personal OneDrive for Business Cloud Storage Public Abertay Personal A: Public! B: Private X X X X X C: Confidential X X X X X X Approved storage method Approved storage method subject to additional guidance Strictly Prohibited! Additional guidance will be made available to allow users to migrate Abertay data from other public cloud providers, such as Dropbox, to OneDrive for Business 8