​Records and Information – Security

Information Security Classification Scheme 

The University now has an Information Security Classification Scheme to help you assess the risks and provide adequate security for various types of information/records:

Information Security Classification Scheme V2.1

Using Records: Security Issues

Security is particularly vital for records containing:

• Personal data;
• Commercially sensitive information;
• Information provided in confidence;
• Legally privileged information.

Because:

• The Data Protection Act requires us to protect personal data against unauthorised access and accidental loss;
• Poor data security (e.g. loss of USB sticks or paper records) can lead to reputational damage and result in the University being fined or prosecuted.

The University’s Information Security Policies can be accessed here.

Information Security: General

Information Commissioner’s Office (ICO) guidance states -

A data security breach can happen for a number of reasons:

• Loss or theft of data or equipment on which data is stored;
• Inappropriate access controls allowing unauthorised use;
• Equipment failure;
• Human error (or behaviour) employee responsibility and awareness;
• Unforeseen circumstances such as a fire or flood;
• Hacking attack;
• ‘Blagging’ offences where information is obtained by deceiving the organisation which holds it.

Keeping information secure

^Electronic

• Passwords – keep passwords secure; use strong passwords with letters, numbers and characters; change passwords regularly.
• Lock your PC / electronic device whenever you are logged into the University network and are not using it, e.g. when you move away from your desk!
• Access – ensure the appropriate colleagues have access to the information and access is restricted for others. Access setting on SharePoint and MS Explorer folders can be restricted or passwords used.  Access to software systems (proprietary and free) should be maintained (restricted or allowed) by system administrators.
• Mobile devices (laptop/USB/etc.) should be encrypted and kept secure.  If you are accessing University information on your mobile phone, ensure it locks.
• Mobile devices should be backed up regularly e.g. information placed on the University network in the appropriate departmental area.
• Data sharing – encrypt emails as appropriate (and ensure that University policy is adhered to, including the Data Protection Code of Practice).
• University systems should be accessed remotely through the virtual private network (VPN)
• Complete the online Security Awareness training module!

Physical

• Clear desk policy.
• Locked drawers / cabinets / offices – don’t expect colleagues to lock up on your behalf.  Locked offices are particularly important if you are unable to operate a clear desk policy.
• If you work from home, it is not advisable to take paper documents and records home with you, particularly if they contain personal or confidential information.  Only take them home if you really have to!  Don’t leave them in your vehicle en route and do lock them up when you get home.
• Ensure you have all your print-outs when you finish printing.
• Use the University’s offsite storage facility.
• Use the confidential disposal consoles (paper and redundant electronic media) or arrange for bulk shredding (via Property and Facilities).
• Don’t put confidential or personal data in the recycling bins.
• Ensure your PC monitor can’t be overlooked.
• … and, of course, lock your PC when you move away from your desk (this should become automatic)!  And, again, don’t expect colleagues to ensure it's secure.

                                                                                                                 Page last updated 15 August 2017