Information security

The University reserves the right to monitor use of IT systems and data, audit networks and systems and implement technical controls. We do this to secure data and systems, and to protect the safety of other users. All monitoring and auditing is conducted in compliance with UK legislation.

You should take care of any University information you have access to including your own work, and protect it against unauthorised disclosure, modification or destruction. Here are three simple steps you can take to protect your identity and your work:

1. Look after the password for your University account. You must never disclose your password to anyone (including IT staff will never ask you for your password).
2. Update any personal computers and devices you use to access University information with the latest software patches and updates, and protecting your computer using up to date anti-virus software.
3. Secure any personal computer or device you use to access University information with a PIN or password. This makes it harder for someone to access your personal information or University information if your device is lost or stolen.

3.1. Information classification

You must handle University information according to the University Information Classification Policy. This policy defines how University information is classified based on its level of sensitivity and its value to the University. That classification then determines how you should store, process and transfer that data. You should take particular care to handle Personally Identifiable Information (PII) in accordance with the University Data Protection and Information Classification Policies.

3.2. Personally identifiable information in email

If you handle confidential or restricted personally identifiable information in email (e.g., you have teaching, supervision or management responsibilities), you must not forward your email to a third party email service, as this would be in breach of the University Information Classification Policy.

Hard copy confidential data should be locked away when not required, especially when you are not in your office or remote working space.

Computers you use to access University systems and data should be secured with a ‘lock-on-idle’ policy after (at most) 10 minutes of inactivity. In addition, the screen and keyboard should be manually locked by the responsible user whenever leaving the machine unattended.

Because information on portable devices such as laptops, tablets and smartphones, is especially vulnerable, special care should be exercised with these devices. You will be held responsible for the consequences of theft of or disclosure of information on portable devices you use for work if you have not taken reasonable precautions to secure it (including those set out in this policy).

3.5. Information transfer

You must not send, upload, remove on portable media or otherwise transfer to a non-University system any information that is designated as confidential, or which you could reasonably regard as being confidential to the University, except where explicitly authorized by your line manager or the information asset owner.

If you think your computer or a University computer is infected with a virus, your account password is known by someone else, or you believe information is at risk for any other reason, you should immediately report this as breach by following the personal data breach process. There is no penalty for reporting something which turns out not to be legitimate, so if in doubt, report it.

5. Unacceptable use

All users should use their own judgement regarding what is unacceptable use of University systems. Below are some examples of unacceptable use of University systems. This list is not exhaustive, and when using University systems you should bear in mind the terms and conditions of your employment contract, the University Equality, Diversity and Inclusion Policy, and ultimately the interests and wellbeing of colleagues and students. 

5.1. Examples of unacceptable use of University IT systems

• Creation or transmission of material (including via social media) which is defamatory and could constitute harassment or bullying, or simply intends to cause annoyance, inconvenience or needless anxiety.
• Communication which could constitute emotional abuse or sexual violence (including the non-consensual sharing of indecent or sexual images). 
• Creation or transmission of material with the intent to defraud. 
• Creation or transmission of material such that this infringes the copyright of another person.
• Deliberate unauthorised access to networked facilities or services.
• Illegal activity including, but not limited to, accessing pornographic images or sites or media which are specifically designed to promote terrorism or which advocates or promotes any unlawful act.
• Any activity which jeopardises the security, integrity, performance or reliability of University IT systems including the introduction of malware or attempting to disrupt or circumvent IT security measures.
• Any activity which brings the University into disrepute.    
  

Author: Richard Bartlett (Enterprise Security Architect); Version: 1.0, Approved: 9th February, 2021; Next review: Q1 2022

The University reserves the right to monitor your use of IT systems and data, audit networks and systems and implement technical controls. We do this to secure data and systems, and to protect the safety of other users. All monitoring and auditing is conducted in compliance with UK legislation.

5. Protection of information

You should take care of any University information you have access to including your own work, and protect it against unauthorised disclosure, modification or destruction. Here are three simple steps you can take to protect your identity and your work.

1. Look after the password for your University account. You must never disclose your password to anyone (including IT staff who will never ask you for your password).
2. Update any computers and devices you use to access University information with the latest software patches and updates, and protecting your computer using up to date anti-virus software.
3. Secure any computer or device you use to access University information with a PIN or password. This makes it harder for someone to access your personal information or University information if your device is lost or stolen.

6. Reporting security events

If you think a University computer is infected with a virus, your account password is known by someone else, or you believe information is at risk for any other reason, you should immediately report this as breach by following the personal data breach process. There is no penalty for reporting something which turns out not to be legitimate, so if in doubt, report it.

7. Unacceptable use

Below are some examples of unacceptable use of University systems. This list is not exhaustive, and when using University systems you should bear in mind the Student Code of Conduct and Disciplinary Procedure, and ultimately the interests and wellbeing of University staff and your fellow students.

7.1. Examples of unacceptable use of University IT systems

• Creation or transmission of material (including via social media) which is defamatory and could constitute harassment, hate crime or bullying, or simply intends to cause annoyance, inconvenience or needless anxiety. 
• Communication which could constitute emotional abuse or sexual violence (including the non-consensual sharing of indecent or sexual images). 
• Creation or transmission of material with the intent to defraud. 
• Creation or transmission of material such that this infringes the copyright of another person. 
• Deliberate unauthorised access to networked facilities or services. 
• Illegal activity including, but not limited to, accessing pornographic images or sites or media which are specifically designed to promote terrorism or which advocates or promotes any unlawful act. 
• Any activity which jeopardises the security, integrity, performance or reliability of University IT systems including the introduction of malware or attempting to disrupt or circumvent IT security measures. 
• Any activity which brings the University into disrepute.
  

Role: Senior Information Risk Owner (SIRO)
Role/title: University Secretary and Registrar
Responsibility: Providing accountability and assurance to UEG that information governance policies, including data protection and information security policies are complied with.

Role: Information Asset Owners
Role/title: Executive Deans Directors, Deputy Vice-Chancellors, members of the Senior Leadership forum
Responsibility: Has accountability and authority to manage the risk; approving the risk treatment plan and residual risk for the risks that they own.

Role: Risk Assessors
Role/title: Privacy Coordinators
Responsibility: Compliance with Data Protection policy, including assessment of information security risk within their organisational area.

The University Information Classification policy sets a framework for classifying and handling University information based on its level of sensitivity, and its value to the University. Personally Identifiable Information (PII) must be managed and protected in accordance with the University Data Protection and Information Classification Policies.

4.1. Network controls

Any part of the University that manages their own network or networks on behalf of others, should define responsibilities and procedures to protect information in systems and applications.

All connections to University systems should be protected using modern authentication and encryption technology. Where that is not possible a security risk assessment should be carried out and the residual risk accepted by the University.

Network security events should be logged on network routers and firewalls on the University network, and on virtual network infrastructure in cloud hosted environments.

Attaching more than one device to any network port by use of network switches, firewalls, routers or wireless access points or any other means without authority should be prevented using technical controls. Use of any software or hardware which causes disruption to the correct functioning of University systems is prohibited under the Student and Staff Information Security Policies. If such disruption does occur the offending device or software should be disconnected from the University network by the institution responsible for managing the network.

Users should only be provided with access to the University information and resources that are required for their role, in line with the University Information Classification and Data Protection Policies. Access should be added and removed to reflect changes in employment status, role and responsibility, and reviewed regularly to ensure compliance with these principles.

Role Based Access Control (RBAC) should be used wherever possible to assign access rights to users throughout the account lifecycle, where the role/s associated with the user determines the access they have, driven by data from staff and student information systems.

Any access granted outside the RBAC groups should be reviewed regularly and wherever possible RBAC groups should be modified or created to incorporate that access and minimise exceptions.

All new staff and student accounts should be inactive until the user has been through an identity verification process, at which point the account can be activated, and the user must set their own unique password.

• Deactivated promptly if no longer required, and deleted after no more than three months, or
  
• The user’s group membership must be cleared and new group membership set according to the new role.
  

5.2. Privileged user access control

Staff who require privileged access for the technical administration of information systems must be provided with a separate account for that purpose. Those accounts are only for use where privileged access is required, and not for any routine activity including email or instant messaging and web browsing.

Privileged access to systems must be reviewed by system owners annually.

Role Based Access Control (RBAC) is the default method of assigning privileged access rights based on the responsibilities of that member of staff.

Any privileged access granted outside the RBAC groups must be reviewed as part of the annual privileged account review, and wherever possible RBAC groups should be created or modified to incorporate that access to minimise exceptions.

Technical controls should enforce enhanced authentication measures (including but not limited to increased password length, multi-factor authentication and conditional access) for all privileged accounts.

6.1. Security awareness

The University Induction Policy requires all staff to complete Data Protection and Information Security Training at the start of their employment, and every two years thereafter. This training includes information on how to stay safe online and avoid viruses.

6.2. Controlling software installation and use

Staff should not have administrative access to desktops and laptops unless their role requires it. Where administrative access is required it should be actively managed, proportionate to user need, wherever possible time limited, and subject to annual review.

6.3. Malware detection

The Student and Staff Information Security Policies (see above) require that all personal computers which store or process University information must be protected using up to date anti-virus software, and updated frequently with the latest operating system and application patches and updates. University computers must comply with the same requirement, and wherever possible anti-virus and patching should be managed by IT to ensure compliance.

Email services used in the University must have built-in malware protection to prevent the transmission of viruses contained in both inbound and outbound messages.

7. Management of technical vulnerabilities

7.1. Inventory of assets

7.2. Identifying vulnerabilities

Appropriate information resources to identify vulnerabilities should be maintained for all assets in the inventory and updated in line with changes to the inventory.

7.3. Reacting to vulnerabilities

A process for assessing the risk of identified vulnerabilities and implementing the appropriate corrective actions (patch, mitigate or workaround with a technical control) should be documented. This documentation should include roles and responsibilities, and how actions are recorded for audit and review purposes.

High-risk or critical security updates for operating systems, firmware and applications must be installed as soon as possible, and within 14 days of release for all systems within the scope of the University of Plymouth Cyber Essentials Compliant Network.

7.4. Monitoring vulnerabilities

A process for confirming that all network and server infrastructure is compliant (has the most recent updates installed) should be documented. That process should include the escalation of any servers which are non-compliant to the appropriate persons for corrective action.

Business information should be protected wherever possible by modern encryption at rest and in transit, and at all times for information classified as Level 1 (i.e., Confidential; see University Information Classification Policy). This includes data servers and on desktop computers and laptops.

Where it is not possible to provide this protection, this must managed as an information security risk, and reviewed at least annually.

Backups should be encrypted to prevent unauthorised access or modification.

10. Physical and environmental security

Areas where sensitive or critical information is processed should be given an appropriate level of physical security and access control as detailed below. Staff with authorisation to enter such areas are provided with information on the potential security risks and the measures used to control them.

10.1. Low criticality systems

Normal building access and control procedures are adopted.

10.2. Medium criticality systems

Facilities are in defined locked rooms to which access is controlled by key, card or code. Delivery personnel and visitors must wear visitor badges and be supervised.

10.3. High criticality systems

Facilities are in specially designated areas with walls and doors of solid construction, security alarms, and access controlled and recorded by an electronic system. Deliveries and enquiries are to separate areas and visitors must wear visitor badges and be accompanied at all times.

Responsibility for the management of supplier relationships should be clearly documented.

Cloud service providers and third-party software suppliers should by default have no access to University data, including administrative accounts on systems. Data is protected by access control and encryption, with the encryption keys being managed and controlled by the University. Non-Disclosure Agreements (NDAs) shall be used in all situations where the disclosure of Confidential or Restricted to a Cloud service provider or third-party software supplier is deemed necessary and appropriate.

12. Information security incident management

Any part of the University that manages their own network or systems, or manages networks or systems on behalf of others should establish Incident Management procedures to ensure a quick, effective and orderly response to information security incidents. Those procedures should identify the individual or team responsible for responding to information security incidents.

Information security events reported by service users or triggered by monitoring and management systems should be recorded. Those events should be assessed by staff with the appropriate skills and experience (or an appropriate third party), and decision made whether those events are classified as an information security incident

Information security incidents should be recorded as such and responded to according to the institution’s documented incident management procedures. Any knowledge gained from analysing and resolving those incidents should be recorded and used to reduce the likelihood or impact of future incidents.

Any evidence gathered during the incident response process should be appropriately recorded, and as far as possible original evidence should be preserved as per ACPO guidelines and ISO/IEC 27037.

Author: Richard Bartlett (Enterprise Security Architect); Version: 1.0; Approved: 9th February, 2021; Next review: Q1 2022