Summary Electronic Information Security Policy

Similar documents
Abertay Data Storage Policy

WORTHING COLLEGE STUDENT IT SECURITY POLICY. October 2014

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

Human Resources Policy documents. Data Protection Policy

Information Technology and Communications Policy

Merthyr Tydfil County Borough Council. Data Protection Policy

Information Services. Regulations for the Use of Information Technology (IT) Facilities at the University of Kent

INFORMATION SECURITY POLICY

Working Practices for Protecting Electronic Information

Information Security and Electronic Communications Acceptable Use Policy (AUP)

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Conditions of Use. Communications and IT Facilities

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

So the security measures you put in place should seek to ensure that:

Recommendations. That the Cabinet approve the withdrawal of the existing policy and its replacement with the revised document.

Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

Dene Community School of Technology Staff Acceptable Use Policy

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

CORK INSTITUTE OF TECHNOLOGY

Scottish Rowing Data Protection Policy

ICT POLICY AND PROCEDURE

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

Acceptable Use of Information Systems Standard. Guidance for all staff

HIPAA Security Training Manual

TAUNTON PUBLIC SCHOOLS Internet Acceptable Use and Social Networking Policies and Administrative Procedures

Computer Network & Internet Acceptable Usage Policy. Version 2.0

St. Peter s C.E. Primary School Farnworth , Internet Security and Facsimile Policy

Portable Devices and Removable Media Acceptable Use Policy v1.0

Acceptable Use of ICT Policy For Staff

ITU Computer Network, Internet Access & policy ( Network Access Policy )

GENERAL CONDITIONS OF USE OF COMPUTING AND NETWORK FACILITIES

Information Security Policy. Appendix B. Secure Transfer of Information

USE OF INFORMATION TECHNOLOGY FACILITIES

Data Security and Extranet

Using Public Computer Services in Somerset Libraries

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

The Wellcome Trust Sanger Institute IT Acceptable Use Policy (AUP) Version 1.8

How To Protect School Data From Harm

2.2 Access to ICT resources at the Belfast Metropolitan College is a privilege, not a right, and all users must act honestly and responsibly.

Information Security

John of Rolleston Primary School

Angard Acceptable Use Policy

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

POLICY ON USE OF INTERNET AND

How To Behave At A School

Newcastle University Information Security Procedures Version 3

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY

Version: 2.0. Effective From: 28/11/2014

COMPUTER USE POLICY. 1.0 Purpose and Summary

Data Compliance. And. Your Obligations

How To Protect Decd Information From Harm

University of Liverpool

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_ Effective of 7 Title: Corporate Information Technology Usage Policy

UTC Cambridge ICT Policy

Acceptable Use Policy

Acceptable Use of ICT Policy. Staff Policy

PHI- Protected Health Information

MOBILE COMPUTING & REMOTE WORKING POLICY AND PROCEDURE. Documentation Control. Consultation undertaken Information Governance Committee

FREDERICK BREMER SCHOOL E SAFETY POLICY Date of Issue: June 2015 Ratified: For review:

Dulwich College ICT Acceptable Use Policy

Development / Monitoring / Review of this Policy. Schedule for Development / Monitoring / Review

Data Protection Policy June 2014

Human Resources Policy and Procedure Manual

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy

Internet Acceptable Use Policy

A Guide to Information Technology Security in Trinity College Dublin

The Ministry of Information & Communication Technology MICT

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

Transcription:

University of Chichester Summary Electronic Information Security Policy 2015 Summary Electronic Information Security Policy Date of Issue 24 December 2015 Policy Owner Head of ICT, Strategy and Architecture Electronic Information Security Policy Summary Version 04/10/2015

University of Chichester Summary Electronic Information Security Policy 2015 Page left blank for duplex printing Electronic Information Security Policy Summary Version 04/10/2015

University of Chichester Electronic Information Security Policy 2015 Contents 1 Introduction and core principles... 1 1.1 Purpose... 1 1.2 Summary Categories of University Data... 1 2 Types of Storage... 2 2.1 Network Storage... 2 2.2 Portable Devices... 2 2.3 Portable Storage... 3 2.4 Cloud Storage... 3 2.5 Email... 4 Appendix A: Summary of Best Practice for the Transmission/Storage of data.... 5 Appendix B: Summary of personal responsibilities... 6 The University s code of conduct... Error! Bookmark not defined. Personal consequences of infringement... 6 Support and Information Zone (SIZ) 01243 816222 help@chi.ac.uk

Page left blank for duplex printing

University of Chichester Electronic Information Security Policy 2015 1 Introduction and core principles Most of the University s activities generate data in one form or another. Information is an important business asset and as such, we all have a responsibility to safeguard its confidentiality, integrity and availability. This policy supports existing policies for information security and data protection by providing additional requirements for storing University data.! It is always the data owner s direct responsibility to ensure their data is safeguarded. 1.1 Purpose The purpose of this policy is to help owners of University data to choose an appropriate storage method that ensures it is protected and managed in accordance with the statutory responsibilities and business requirements of the University. 1.2 Summary Categories of University Data Data that has value to the University of Chichester must be protected during day-to-day on-campus activities, when working off-campus and when using personal devices. Not all University data has the same level of sensitivity and/or confidentiality and so categorising this data can help data owners better understand the steps needed to protect it from unauthorised access or being lost, stolen or intercepted. The following data categories are helpful for identifying the sensitivity of University data: Category A - Public Any data that can appropriately be viewed by anyone, anywhere e.g. press releases, course information, publications, released research data, conference papers etc. Category B - Private Any data where access requires it to be limited to specified members of the University of Chichester on a need to know basis e.g. reports, guidance, collaborative documents, draft documents, teaching materials etc. Category C - Confidential Any data which identifies an individual, either on its own or by reference to other information. It can include expressions of opinion about an individual. As defined by the Data Protection Act (1998). Any personal data consisting of information as to an individual s: - racial or ethnic origin. political opinions. religious beliefs or other beliefs of a similar nature. trade union membership. physical or mental health or condition. sexual life. proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceeding. The University of Chichester s research activity will produce data that could be categorised as public, private or confidential! If you are unsure about how to categorise your data and where you can store your data please contact the Support and Information Zone (SIZ) Support and Information Zone (SIZ) 01243 816222 help@chi.ac.uk 1

University of Chichester Electronic Information Security Policy 2015 2 Types of Storage Although the University supports a range of storage media, we recommend using network storage wherever possible. Storing University data on the network may not be immediately practical, e.g. when working off campus, however; data users are ultimately responsible for choosing the safest storage option based on legal requirements under the Data Protection Act and their business needs regarding accessibility of information. A summary of the do s and don ts of storage for each categorisation of University data is provided in Appendix A. 2.1 Network Storage Home drives All students and staff have access to network storage known as their home drive or H: drive. This is secure network storage for personal University data attached to their network account, which can be securely accessed from any computer or device connected to the Internet. H: Shared drives Departments may also have additional network storage called shared drives or S: drive. This network storage is linked to groups of network accounts enabling users to collaborate and share files within their department or group. S:! Advantages of using Network Storage Files are protected by University information security systems 1 Files are routinely backed up for business continuity purposes as well as enabling the recovery of data that is accidentally deleted. Files that are saved in one location can be accessed from a number of internet connected devices both on and off campus. This reduces the need for storing multiple copies and increasing the risk of data being inaccurate, lost or stolen.! Network storage can safely be used for all categories of University data. 2.2 Portable Devices University Issued Devices Portable devices (such as laptops, tablets and smartphones) may be issued/loaned to members of the University to allow them to access University resources on the move. Security measures will be taken (such as encryption, user authentication and anti-virus software) to help safeguard University data that is accessed through these devices Personal Devices The University also permits students and staff to access some resources through their personal devices and access is controlled through user authentication. Users also have a responsibility to ensure their devices are protected, e.g. with a passwords, encryption and anti-virus software, even when only accessing public data! If you are unsure about how to manage data on a University issued or on your own device please contact the Support and Information Zone (SIZ) 1 (firewalls, antivirus, encryption and secure authentication). Support and Information Zone (SIZ) 01243 816222 help@chi.ac.uk 2

University of Chichester Electronic Information Security Policy 2015 2.3 Portable Storage University Issued Storage Media Portable storage media (CDs/DVDs, USB drives and external hard drives) may be issued/loaned to members of the University for use both on and off campus. Security measures will be taken (such as encryption software) where possible to help safeguard the data stored on this type of media. Personal Storage Media The University does not currently restrict the use of personal storage media; however, their use for private and confidential University data is not permitted. Mobile Telephones Mobile phones cannot be backed-up and recovered from. Mobile phones have very little security, and must not be used to store private and confidential data! Considerations when using Portable Devices and/or Storage Media Files stored only on portable devices and/or storage media have no provision for backup or recovery if they become lost, stolen or corrupted. There is a significant risk of reputational damage and/or litigation for the university and the data owner if data is stored inappropriately on portable devices.! Portable devices and storage media must only be used for the temporary storage of any category of data. The data must be removed and transferred to network storage at the earliest opportunity. If it cannot be avoided, any private and confidential data that has to be copied to University issued devices or storage media, these devices and media must be encrypted 2. Personal devices/storage media, including personal email accounts must not be used to store private and confidential data. 2.4 Cloud Storage University Preferred Cloud Storage OneDrive for Business All staff and students have access to the University preferred cloud storage system OneDrive for Business - through Office365. This service offers online storage space for public data that can be accessed from many locations and devices (e.g. tablets, smartphones etc.). The University s contractual agreement with Microsoft provides for acceptable levels of data availability and security. Its use for private and confidential University data is currently not permitted. Other Public Cloud Storage Other commercial cloud providers, such as Dropbox, icloud, Google etc. also offer public online storage. However, the service levels offered by these providers are beyond the control of the University and their use for University data is not permitted.! Considerations when using Cloud storage 2 All University laptops are encrypted when they are signed out, anything copied from a University machine to for example a USB stick, will forcibly encrypt the USB stick before copying any data. Support and Information Zone (SIZ) 01243 816222 help@chi.ac.uk 3

2.5 Email University of Chichester Electronic Information Security Policy 2015 Microsoft s OneDrive for Business is protected by industry standard security systems and deleted files are stored in your recycle bin for a short period, currently 90 days. However, there is no guarantee that lost data can be retrieved if it is accidentally deleted. University cloud storage must only be used as temporary storage and data should always be transferred on to network storage. Private and confidential data must not be uploaded to any cloud storage service Synchronisation of data using cloud services onto non University devices must be turned off for all categories of data. University email Staff and students have University email accounts. Much of the University s day-to-day activities are undertaken using email, e.g. documents, business decisions, and requests for service/information. Any private or confidential data acquired or sent via email should be removed to network storage as soon as possible. Personal email Many staff and students also have personal email through providers such as Gmail and Yahoo. The University permits users to access their personal email accounts on campus; however their use for private and for confidential data is not permitted. Email on mobile telephones Mobile phones have very little security. Whether university issued or personally owned, only password protected web-email can be used. Email passwords should not be set to be remembered by the device, and email should not be set to download to the device.! Considerations when using email Email is not a completely secure communication tool and there is significant risk that essential business records may be lost during unplanned system outages. University email should only be used for temporary storage of data. Email attachments, and any email text containing private or confidential data should always be removed and transferred to network storage 3. Personal email must not be used to transmit or store private and confidential data. Mobile phones should only use password protected web-based email. You should not use an email service that downloads email to the device. Any email, and especially for mobile telephones, should be password protected, and the device should not be allowed to remember the password.! If you are unsure about how to categorise your data and where you can store your data please contact the Support and Information Zone (SIZ) 3 Chichester University email to Chichester University email automatically uses encryption, and hence can be used for the transmission or private and of confidential data only if absolutely necessary, however the sent item and the received item should be removed from email, and into network storage as soon as possible. Support and Information Zone (SIZ) 01243 816222 help@chi.ac.uk 4

University of Chichester Summary Electronic Information Security Policy 2015 Appendix A: Summary of Best Practice for the Transmission/Storage of data. Storage Method Category Network Portable device Portable media Cloud Email A Home (H) Shared (S) University Personal University Personal University Personal University Personal Public B Private C Confidential Approved storage method Approved storage method only if encrypted, and only temporarily until the data can be relocated to network storage Strictly Prohibited Support and Information Zone (SIZ) 01243 816222 help@chi.ac.uk 5

University of Chichester Summary Electronic Information Security Policy 2015 Appendix B: Summary of personal responsibilities The design of computer systems in which information is created and stored is aimed to be as usable as possible, whilst taking into account the best practices involved in avoiding loss or exposure of information.! IT safeguards can only go so far, and it is how people use the IT that presents the larger risk Minimising risks involves actions and awareness including the requirement to apply the University s policies, abide by the relevant legal requirements, use only authorised accounts with a secret password, make sure you can t be over-looked, or that your equipment cannot be used to access information by someone else. You must inform SIZ immediately if you believe your password to have been compromised, or if any device used to access or store University information (whether owned by the University or by you) is lost or stolen.! The use of any authorised account at the University explicitly binds the user (for example; Staff, Student, Partners and Visitors) to abide by this Electronic Information Security Policy. 2.6 The University s code of conduct In order to use the University s infrastructure and systems, you are required to adopt the following: a) You must inform the University if you believe there may be, or know of any risk of information loss, or unauthorised access to information. b) All users are required to report any misuse of IT systems, any infringement of this policy and any issue that may endanger full compliance with relevant legislation, particularly the Data Protection Act (1998). c) Users should not intentionally cause damage or otherwise jeopardise the integrity of computer equipment, software or network services. d) Users must not knowingly introduce computer viruses to the computer systems, and should take all precautions to prevent their spread. e) Users must abide by all agreements and contracts by which software and any associated information are accessed at or through University computing services. Specifically, users must not install, replace or update any software or information on University computing equipment without appropriate authority. f) Users must not alter or install unauthorised software onto University computing equipment without appropriate authority. g) Users must not take University IT equipment off-site, without the appropriate authority to do so. h) Users must not use any University computing services to gain unauthorised access to any other computing system (internal or external). i) Users must not use University computing services for storing, receiving or transmitting offensive, indecent or obscene material. If there is a genuine academic need to use such material, this should be approved by the Head of Academic Department in advance and arrangements for their access then made with IT Services. j) Users must not use any University computing equipment or service to undertake or support any activity that might be considered illegal, inflammatory or threatening. This includes any form of on-line bullying, political, religious or cultural radicalism, or any unauthorised access to any other person or organisation s computer systems or data. k) Users must not use University computing services for any commercial activity without appropriate authority from IT Services or Head of Department. l) Users are not permitted to use the computing services for private commercial purposes or any other employment outside the scope of that person s official duties or functions. m) IT Disposal users must return any University owned IT equipment to IT Services for secure disposal that meets our legal requirements.! Please Remember: in accordance with Data Protection legislation, you as well as the University are jointly and severally liable for your actions and their consequences. Support and Information Zone (SIZ) 01243 816222 help@chi.ac.uk 6

University of Chichester Summary Electronic Information Security Policy 2015 Personal consequences of infringement This summary policy is a guide and not an exhaustive list of what you should or should not do, and you should satisfy yourself of the best practices and the principles of law. Any suspected failure to apply reasonable care, and any suspected infringement of the policy or any related legal requirements may result in the user s access being summarily withdrawn pending appropriate investigation, and action under the Disciplinary Policy and Procedure (for staff) action under the Academic Regulations (for students).! Any investigation into data loss, and the failure to comply with the Data Protection Act (1998) may lead to civil or criminal proceedings for you and for the University. Support and Information Zone (SIZ) 01243 816222 help@chi.ac.uk 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information