Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University.
Information Systems Security Guidelines for Staff If you use any computer system, then this applies to you. 1. Why is Information Security Important? Data held on IT systems is valuable and critical to the business of the University. We all rely on IT to store and process information, so it is essential that we maintain Information Security. The purpose of information security policies is to preserve: - Confidentiality Integrity Availability data is only accessed by those with the right to view the data. data can be relied upon to be accurate and processed correctly. data can be accessed when needed. Staffordshire University has produced an Information Systems Security Policy and a detailed Manual, which are available in School/Service Offices and on the web. These guidelines summarise what you need to know and what you must do to help keep information secure. Failure to comply with the requirements of these Information Security Guidelines may lead to disciplinary action. 2. Information Security Management The implementation of information security throughout the University is the role of the IT Security Group (chaired by the Client Technology and Applications Manager), which reports to the IT Management Board. Every member of staff is personally responsible for complying with the policy and guidelines. 3. Response to Security Incidents An information security incident is an event which may compromise the confidentiality, existence, accuracy or availability of stored information. You, as a computer user, are responsible for complying with the regulations, and for reporting security breaches. If you become aware of any security incident that affects you or your colleagues then you should report it. In the first instance, staff should contact 3800; students should contact 3700. The incident will then be logged and passed to the Information Protection & Security Manager and/or Client Technology & Applications Manager 2
(as applicable) for evaluation and possible further action. Examples of activities which constitute security incidents include: - Password is Compromised You discover that someone else has access to your account using your password, or others are misusing passwords. Hacking Attempt IT systems may disable accounts where the wrong password is entered more than a set number of times. If your account was disabled because someone else was attempting to access it then a security incident has occurred. Computer Virus Infection Virus infection that was not detected and cleaned automatically. Computer Files Missing Unexplained deletion of any file. Unexplained Changes to System Data / Configuration Any unexplained change to data. Theft / Loss of IT Equipment A theft or loss is an information security incident if it means that information is lost or made available to others. Unauthorised People Using or Attempting to Use IT Equipment This particularly applies to areas where sensitive data is processed. In general, an Information Security Incident is any event that resulted in, or could have resulted in Disclosure of confidential information to an unauthorised person. The integrity of the system or data being compromised. Embarrassment to the University. Financial loss. Disruption to information processing systems. 3
Guidelines on Actions you must take to ensure Information Security 4. Passwords Your password is your main protection against someone else using your account. It enables you to make sure they can t use your account to send email in your name, access your data, or make changes to your data. All activity on your account is deemed to have been made by you. You must: Change your password periodically. Access to some systems requires a change at least every 90 days, enforced by password expiry. Choose a password that meets the complexity criteria required by the system in question. If none are enforced technically, you must choose a password that includes at least three of the following: lower case letters, upper case letters, digits, and punctuation or other special characters. Choose a password that cannot be guessed (avoid using your name, children or pets name, car registration number, football team, etc). Keep passwords secret. Change your password immediately you suspect someone knows it. Log out when away from your system. You must not: Use the Save Password option in login boxes. Write down passwords in a form that others could identify. Share passwords. Give your password to anyone. Re-use old passwords. Allow anyone to watch you typing your password. 5. Physical Security Data held in electronic form with suitable backups is less vulnerable to loss than paper copy. This includes formal records, documents, course material and assessments. Consider this method of storage whenever possible. Do: Protect your system from unauthorised use, loss or damage, e.g. lock your door when out of office. Take measures to guard it from ground floor windows. Keep portable equipment secure, e.g. do not leave it in a car. Position monitor and printers so that others cannot see sensitive or personal data. Keep removable media such as USB devices in a secure place. Seek advice on disposing of equipment. Report any loss. Take particular care at home to keep the system and sensitive data secure from other people. Take care not to spill food or drinks over the equipment. Get authorisation before taking equipment off-site. 4
Take care when moving equipment. Log out, shut down or lock the system when leaving your office Switch off overnight Ensure sensitive or personal data is deleted from internal disks prior to disposal or transfer of desktop equipment. 6. Backups You must recognise that all forms of data storage are subject to data loss, for example as a result of a power cut or hardware fault. You must therefore take steps to ensure there are copies of all important data, called backups. You are responsible for the security of data on your desktop equipment including backups of all important data held on it. Information stored on central servers is backed up regularly by Information Services. You must: Wherever possible, save important data onto centrally managed network drives (the H: drive). These are backed up daily. Take copies of data from your local hard drive (C:) to your H: drive, or if this is not possible for some reason, to removable media. Between backups keep your original copy of all data entered, so that you can re- input it if necessary. Keep your removable media in a secure location away from the computer. It is no use having these in a desk drawer if the desk and computer are destroyed by fire. Regularly check that another system can read the removable media. 7. Viruses and Malicious Software Malicious software covers all software which has been deliberately designed to harm computer systems. Such software is spread from one system to another through: email (for example, through attachments or via hyperlinks) exchange or download of files exchange or download of files infected removable media embedding into computer games, screen savers, etc The computer systems that use the Information Services standard windows software image are protected automatically using the latest versions of the anti-virus software. However, you should be aware that the anti-virus software cannot automatically detect newly developed viruses. You should therefore take the following precautions to guard against attack: Staff must become familiar with the operation of the anti-virus software and must 5
not change the scanning properties. Staff must only acquire software from reputable sources. Staff must not load unauthorised software onto their computer. Staff must not use unsolicited removable media received from untrusted sources. Staff must not open email attachments from unsolicited or untrusted sources. Staff should monitor the University News, Events and Announcements RSS feed for new security and virus alerts and take appropriate action. Staff using computers (either PCs or Macintoshes) which are not set up using a standard University image are additionally responsible for the following precautions: Staff must ensure that an effective anti-virus system is operating. Staff must check, at least every month, that their virus definition files are up to date. Staff must monitor the University News, Events and Announcements RSS feed for new virus alerts and update their virus definition files immediately. Staff must configure their anti-virus software so that it automatically scans incoming document. 8. Shared Access to Data If you set up a shared database or share files / folders on your local disk, then you must ensure that Information Security is not compromised. You must: Ensure that access is only given to those users authorised to share this data. Take care to remove any global access rights from the share. Decide how this data will continue to be shared in the event of failure or loss of your system. Document the system so that it can be recovered in the event of loss. 9. Legal Requirements and other IT Regulations All users must be aware of the legal requirements and the University IT Regulations. Details, and a guide to legislation are available on the University web site. When you apply for an account on, or use, any University system you agree to comply with all relevant legislation. In Summary: Data Protection Act 1998 You have responsibility and liability if you process personal data. You must be particularly careful not to disclose personal data to anyone who does not have the right to access it. 6
Copyright, Design & Patents Act 1988 You must not use or copy any software for which there is no software licence. You must not install any software without authorisation. Computer Misuse Act 1990 The following activities are a criminal offence: Unauthorised access (hacking) Unauthorised access with intent to commit further offence Unauthorised modification (including introducing a virus) Email Policy & Internet Policy The University publishes an Email Policy and an Internet Policy which provides guidance for staff. 7