Abertay Data Storage Policy



Similar documents
Summary Electronic Information Security Policy

Human Resources Policy documents. Data Protection Policy

Information Security Policy. Appendix B. Secure Transfer of Information

Merthyr Tydfil County Borough Council. Data Protection Policy

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

CORK INSTITUTE OF TECHNOLOGY

Scottish Rowing Data Protection Policy

INFORMATION SECURITY POLICY

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

Data Compliance. And. Your Obligations

Data Protection Policy

Data Security and Extranet

The Manchester College

Working Practices for Protecting Electronic Information

Newcastle University Information Security Procedures Version 3

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

IT Data Security Policy

Incident reporting procedure

Introduction to Cloud Storage GOOGLE DRIVE

Research Information Security Guideline

Data Protection Policy June 2014

Information security incident reporting procedure

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

So the security measures you put in place should seek to ensure that:

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

Research Governance Standard Operating Procedure

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

University of Limerick Data Protection Compliance Regulations June 2015

Corporate ICT & Data Management. Data Protection Policy

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

Estate Agents Authority

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

The supplier shall have appropriate policies and procedures in place to ensure compliance with

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

WORTHING COLLEGE STUDENT IT SECURITY POLICY. October 2014

Guidelines on Data Protection. Draft. Version 3.1. Published by

Dean Bank Primary and Nursery School. Data Protection Policy

Rick Parsons Information Governance Officer County Hall

DATA MANAGEMENT POLICY AND GUIDANCE FOR SAFEGUARDERS

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

Policy Document Control Page

INFORMATION GOVERNANCE POLICY

HERTSMERE BOROUGH COUNCIL

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

ATMD Bird & Bird. Singapore Personal Data Protection Policy

The Manitowoc Company, Inc.

Data Protection and Data security Policy

John of Rolleston Primary School

PINAL COUNTY POLICY AND PROCEDURE 2.50 ELECTRONIC MAIL AND SCHEDULING SYSTEM

Cloud Software Services for Schools

Enterprise Information Security Procedures

Data Protection Good Practice Note

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

Information Governance Framework. June 2015

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

Mobile Devices Policy

MOBILE COMPUTING & REMOTE WORKING POLICY AND PROCEDURE. Documentation Control. Consultation undertaken Information Governance Committee

How To Protect School Data From Harm

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Remote Working - Remote and Mobile Computing Policy. Purpose 3. Strategic Aims 3. Introduction 3. Scope 5. Responsibilities 5.

Data Security Policy

Storing and securing your data

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

Encryption Policy Version 3.0

Data Protection and Privacy Policy

Data Protection Guidance

Introducing OneDrive for Business

The Ministry of Information & Communication Technology MICT

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_ Effective of 7 Title: Corporate Information Technology Usage Policy

Data protection policy

Microsoft Office 365, BYOD and ipads

Personal data - Personal data identify an individual. For example, name, address, contact details, date of birth, NHS number.

Remote Working and Portable Devices Policy

Data Protection Policy

Information Technology and Communications Policy

Transcription:

Abertay Data Storage Policy Author Louise Cardno, Business Analyst Reviewer Frazer Greig, ICT Operations Manager Approved by Michael Turpie, Head of Information Services Approval date(s) 03-Jun-2015 Review date 02-Jun-2016 Version 1.3

Contents 1. Introduction... 2 2. Purpose... 2 3. Categories of Abertay Data... 2 4. Types of Storage... 4 4.1. Network Storage... 4 4.2. Portable Devices... 5 4.3. Portable Storage Media... 5 4.4. Cloud Storage... 6 4.5. Email... 6 5. Additional Guidance/Support... 7 Appendix A: Best Practice for the Transmission/Storage of Abertay data.... 8 1

1. Introduction Most of Abertay s activities generate data in one form or another. Information is an important business asset and as such, we all have a responsibility to safeguard its confidentiality, integrity and availability. This policy supports existing policies for information security and data protection by providing additional requirements for storing Abertay data. 2. Purpose The purpose of this policy is to help owners of University data to choose an appropriate storage method that ensures it is protected and managed in accordance with the statutory responsibilities and business requirements of the University. 3. Categories of Abertay Data Data that has value to Abertay must be protected during day-to-day on-campus activities, when working off-campus and when using personal devices. Not all Abertay data has the same level of sensitivity and/or confidentiality and so categorising this data can help data owners better understand the steps needed to protect it from unauthorised access or being lost, stolen or intercepted. It is always the data owner s direct responsibility to ensure their data is safeguarded. The following data categories are helpful for identifying the sensitivity of Abertay data: - Category A - Public Any data that can appropriately be viewed by anyone, anywhere e.g. press releases, course information, publications, released research data, conference papers etc. Category B - Private Any data where access requires to be limited to specified members of Abertay on a need to know basis e.g. reports, guidance, collaborative documents, draft documents, teaching materials etc. Category C - Confidential Any data which identifies an individual, either on its own or by reference to other information. It can include expressions of opinion about an individual. As defined by the Data Protection Act (1998). Any personal data consisting of information as to an individual s: - racial or ethnic origin. political opinions. religious beliefs or other beliefs of a similar nature. trade union membership. physical or mental health or condition. sexual life. 2

commission or alleged commission of any offence. proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceeding. Abertay Research Data Abertay s research activity will produce data that could be categorised as public, private or confidential. These assets are subject to additional controls and guidelines referred to in the Management of Research Data Policy and Guidelines (2013). If you are unsure about how to categorise your data and where you can store your data please contact the University Secretariat 3

4. Types of Storage Abertay supports a number of different types of storage media, but mandates the use of network storage wherever possible. It is understood that storing Abertay data on the network may not be immediately practical, e.g. when working off campus and access is not available. However, data owners are ultimately responsible for choosing the safest storage option based on legal requirements under the Data Protection Act and their business needs regarding accessibility of information. A useful summary of the do s and don ts of storage for each categorisation of Abertay data is provided in Appendix A. 4.1. Network Storage M: V: Home drives All students and staff have access to network storage known as their home drive or M: drive. This is secure network storage for personal Abertay data attached to their network account, which can be securely accessed from any computer or device connected to the Internet. Shared drives Departments may also have additional network storage called shared drives or V: drive. This network storage is linked to groups of network accounts enabling users to collaborate and share files within their department or group. Advantages of using Network Storage Files are protected by University information security systems (firewall, antivirus, encryption and secure authentication). Files are routinely backed up for business continuity purposes as well as enabling the recovery of data that is accidentally deleted. Files that are saved in one location can be accessed from a number of internetconnected devices both on and off campus. This reduces the need for storing multiple copies and increasing the risk of data being inaccurate, lost or stolen. Network storage can safely be used for all categories of Abertay data. Limited personal use of Abertay systems is permitted and this also applies to storage of non Abertay data which must not exceed a reasonable amount. Shared storage areas must only be used for Abertay data that needs to be shared with colleagues in your department or across Abertay. Network storage is the only method to permanently store all categories of Abertay data. 4

4.2. Portable Devices Abertay Issued Devices Portable devices (such as laptops, tablets and smartphones) may be issued/loaned to members of the University to allow them to access Abertay resources on the move. Security measures will be taken (such as encryption, user authentication and anti-virus software) to help safeguard Abertay data that is accessed through these devices. Personal Devices Abertay also permits students and staff to access some resources through their own personal devices and access is controlled through user authentication. Users also have a responsibility to ensure their devices are protected, e.g. with a firewall, encryption and anti-virus software when accessing Category A Abertay data. Guidance on securing and protecting personal devices may be sought from the IS Service Desk. 4.3. Portable Storage Media Abertay Issued Storage Media Portable storage media (CDs/DVDs, USB drives and external hard drives) may be issued/loaned to members of the University for use both on and off campus. Security measures will be taken (such as encryption software) where possible to help safeguard the data stored on this type of media. Personal Storage Media The University does not currently restrict the use of personal storage media; however, their use for anything other than temporary storage of Category A Abertay data is not permitted. Users have a responsibility to ensure their media is protected, e.g. with encryption software to be safe. Guidance on securing personal storage media may be sought from the IS Service Desk. Considerations when using Portable Devices and/or Storage Media Files stored only on portable devices and/or storage media have no provision for backup or recovery if they become lost, stolen or corrupted. There is a significant risk of reputational damage and/or litigation for Abertay and the data owner if data is stored inappropriately on portable devices. Portable devices and storage media must only be used for the temporary storage of any category of data. The data must be removed and transferred to network storage at the earliest opportunity. If Category B & C Abertay data needs to be copied to Abertay issued devices or storage media it must be encrypted. Personal devices/storage media must not be used to store Category B & C Abertay data. 5

4.4. Cloud Storage Abertay Preferred Cloud Storage OneDrive for Business All staff and students have access to the University preferred cloud storage system OneDrive for Business - through Office365. This service offers online storage space for Category A data that can be accessed from many locations and devices (e.g. tablets, smartphones etc.). The University s contractual agreement with Microsoft provides for acceptable levels of data availability and security. Its use for Category B & C Abertay data is currently not permitted. Other Public Cloud Storage Other commercial cloud providers, such as Dropbox, icloud, Google etc. also offer public online storage. However, the service levels offered by these providers are subject to change outwith the control of the University and their use for Abertay data is not permitted. Further guidance will be made available for users to transfer data from other public cloud storage providers to OneDrive for Business. Considerations when using Cloud storage Microsoft s OneDrive for Business is protected by industry standard security systems and deleted files are stored in your recycle bin for a short period, currently 90 days. However, there is no guarantee that lost data can be retrieved if accidentally deleted. Abertay cloud storage must only be used as temporary storage and data should always be transferred onto network storage. Category B&C Abertay data must not be uploaded to any cloud storage service (Abertay or Public). Synchronisation of data using cloud services onto non Abertay devices must be turned off for all categories of data. 4.5. Email Abertay email All staff and students have access to an Abertay email account. Much of the University s day-to-day activities are recorded in email messages, e.g. documents, business decisions, and requests for service/information. Guidance on managing emails can be sought from the IS Service Desk. Personal email Many staff and students also have access to personal email through providers such as Gmail and Yahoo. Abertay permits users to access their personal email accounts on campus; however their use for Category B&C Abertay data is not permitted. 6

Considerations when using email Email is not a completely secure communication tool and there is significant risk that essential business records may be lost during unplanned system outages. Abertay email should only be used for temporary storage of Abertay data. Email attachments that are to be kept should always be removed and transferred to network storage. Personal email must not be used to transmit Category B & C Abertay data. Category C Abertay data must never be transmitted by University email unless encrypted and from University issued devices. 5. Additional Guidance/Support Any enquiries or requests for further support in relation to Abertay data storage or transmission may be directed to IS Service Desk. 7

Appendix A: Best Practice for the Transmission/Storage of Abertay data. Network Portable Device STORAGE METHOD Portable Storage Media Category Home M: Shared V: Abertay Personal Abertay Personal OneDrive for Business Cloud Storage Email Public Abertay Personal A: Public! B: Private X X X X X C: Confidential X X X X X X Approved storage method Approved storage method subject to additional guidance Strictly Prohibited! Additional guidance will be made available to allow users to migrate Abertay data from other public cloud providers, such as Dropbox, to OneDrive for Business 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information