Information security

Why is Information Security important?

Information is one of the most important assets to an organisation and all information is valuable and should be appropriately protected. Security is a combination of systems, operational procedures and internal controls to ensure integrity, confidentiality and availability of data to support the operation of the organisation.

'Why is Information Security important' video created by Security Fresh.

 

Information security policies

Whether you are a student, member of staff or contractor, you all have an important part to play in protecting University systems and the information stored on them. The information security policies below explain those expectations, obligations and conditions of use which you should read, understand and comply with. These policies have been comprehensively reviewed and revised to make them easier to read, and we are committed to a regular review cycle to ensure they remain accessible and helpful.

Staff information security policy

1. Purpose

This policy sets out the conditions of use for University computers and systems, in order to protect those systems and the information stored on them for which the University is legally responsible. Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.

If you need any help complying with this guidance (for example technical assistance) please contact Technology & Information Services (TIS) via IT Self Service.

2. Personal use

University systems exist to support and enable the aims of the University. A reasonable amount of personal use is allowed. However, it must not cause damage or disruption to computers or networks, or any difficulty, damage or distress to others.

In a home working environment, you are responsible for ensuring University equipment and the data stored on it are protected from access by family, friends and visitors.

2.1. Personal data

Unless specifically marked as ‘Personal’, all data stored on systems managed by Technology and Information Services (TIS) is considered to be work-related. As such it does not constitute personal information which is protected under Human Rights legislation, and therefore may be accessed by the University with due authority.

2.2. Monitoring, auditing and control

The University reserves the right to monitor use of IT systems and data, audit networks and systems and implement technical controls. We do this to secure data and systems, and to protect the safety of other users. All monitoring and auditing is conducted in compliance with UK legislation.

3. Protection of information

You should take care of any University information you have access to including your own work, and protect it against unauthorised disclosure, modification or destruction. Here are three simple steps you can take to protect your identity and your work:

1. Look after the password for your University account. You must never disclose your password to anyone (including IT staff will never ask you for your password).
2. Update any personal computers and devices you use to access University information with the latest software patches and updates, and protecting your computer using up to date anti-virus software.
3. Secure any personal computer or device you use to access University information with a PIN or password. This makes it harder for someone to access your personal information or University information if your device is lost or stolen.

3.1. Information classification

You must handle University information according to the University Information Classification Policy. This policy defines how University information is classified based on its level of sensitivity and its value to the University. That classification then determines how you should store, process and transfer that data. You should take particular care to handle Personally Identifiable Information (PII) in accordance with the University Data Protection and Information Classification Policies.

3.2. Personally identifiable information in email

If you handle confidential or restricted personally identifiable information in email (e.g., you have teaching, supervision or management responsibilities), you must not forward your email to a third party email service, as this would be in breach of the University Information Classification Policy.

3.3. Clear desk and clear screen

Hard copy confidential data should be locked away when not required, especially when you are not in your office or remote working space.

Computers you use to access University systems and data should be secured with a ‘lock-on-idle’ policy after (at most) 10 minutes of inactivity. In addition, the screen and keyboard should be manually locked by the responsible user whenever leaving the machine unattended.

3.4. Mobile devices and remote working

Because information on portable devices such as laptops, tablets and smartphones, is especially vulnerable, special care should be exercised with these devices. You will be held responsible for the consequences of theft of or disclosure of information on portable devices you use for work if you have not taken reasonable precautions to secure it (including those set out in this policy).

3.5. Information transfer

You must not send, upload, remove on portable media or otherwise transfer to a non-University system any information that is designated as confidential, or which you could reasonably regard as being confidential to the University, except where explicitly authorized by your line manager or the information asset owner.

4. Reporting security events

If you think your computer or a University computer is infected with a virus, your account password is known by someone else, or you believe information is at risk for any other reason, you should immediately report this as breach by following the personal data breach process. There is no penalty for reporting something which turns out not to be legitimate, so if in doubt, report it.

5. Unacceptable use

All users should use their own judgement regarding what is unacceptable use of University systems. Below are some examples of unacceptable use of University systems. This list is not exhaustive, and when using University systems you should bear in mind the terms and conditions of your employment contract, the University Equality, Diversity and Inclusion Policy, and ultimately the interests and wellbeing of colleagues and students. 

5.1. Examples of unacceptable use of University IT systems

  • Creation or transmission of material (including via social media) which is defamatory and could constitute harassment or bullying, or simply intends to cause annoyance, inconvenience or needless anxiety.
  • Communication which could constitute emotional abuse or sexual violence (including the non-consensual sharing of indecent or sexual images). 
  • Creation or transmission of material with the intent to defraud. 
  • Creation or transmission of material such that this infringes the copyright of another person.
  • Deliberate unauthorised access to networked facilities or services.
  • Illegal activity including, but not limited to, accessing pornographic images or sites or media which are specifically designed to promote terrorism or which advocates or promotes any unlawful act.
  • Any activity which jeopardises the security, integrity, performance or reliability of University IT systems including the introduction of malware or attempting to disrupt or circumvent IT security measures.
  • Any activity which brings the University into disrepute.    


Author: Richard Bartlett (Enterprise Security Architect); Version: 1.0, Approved: 9th February, 2021; Next review: Q1 2022

Student information security policy

1. Purpose

The University cares about the experience of our students and we want you to be safe at all times whilst you are studying with us.

This policy sets out the ways you should keep your information secure and the expectations you may have of other staff and students in relation to information security and safety. It includes some rules you must follow in order to protect your student digital identity and the University data and systems you have access to.

If you are unclear or have any questions about this policy please contact the Library.

2. Scope

This policy applies to your use of IT systems as a student. If you are employed by the University your use of IT systems as an employee is covered by the Staff Information Security Policy. If you are employed by the Student Union please refer to their information security policy.

3. Personal use

University systems exist to support and enable the aims of the University. A reasonable amount of personal use is allowed. However, it must not cause damage or disruption to computers or networks, or any difficulty, damage or distress to others.

3.1. Personal data

Unless you mark specific data as personal, anything stored on University-managed systems will be considered to be stored in accordance with the aims of the University. This means it does not constitute personal information as protected by human rights legislation, and the University may access this data at any time.

4. Monitoring, auditing and control

The University reserves the right to monitor your use of IT systems and data, audit networks and systems and implement technical controls. We do this to secure data and systems, and to protect the safety of other users. All monitoring and auditing is conducted in compliance with UK legislation.

5. Protection of information

You should take care of any University information you have access to including your own work, and protect it against unauthorised disclosure, modification or destruction. Here are three simple steps you can take to protect your identity and your work.

1. Look after the password for your University account. You must never disclose your password to anyone (including IT staff who will never ask you for your password).
2. Update any computers and devices you use to access University information with the latest software patches and updates, and protecting your computer using up to date anti-virus software.
3. Secure any computer or device you use to access University information with a PIN or password. This makes it harder for someone to access your personal information or University information if your device is lost or stolen.

6. Reporting security events

If you think a University computer is infected with a virus, your account password is known by someone else, or you believe information is at risk for any other reason, you should immediately report this as breach by following the personal data breach process. There is no penalty for reporting something which turns out not to be legitimate, so if in doubt, report it.

7. Unacceptable use

Below are some examples of unacceptable use of University systems. This list is not exhaustive, and when using University systems you should bear in mind the Student Code of Conduct and Disciplinary Procedure, and ultimately the interests and wellbeing of University staff and your fellow students.

If we have a concern that you may have acted in a way that was not compliant with this policy, the University will carry out an investigation which could, in cases of major misconduct being found proven, result in a sanction up to and including your permanent expulsion from the University.

7.1. Examples of unacceptable use of University IT systems

  • Creation or transmission of material (including via social media) which is defamatory and could constitute harassment, hate crime or bullying, or simply intends to cause annoyance, inconvenience or needless anxiety. 
  • Communication which could constitute emotional abuse or sexual violence (including the non-consensual sharing of indecent or sexual images). 
  • Creation or transmission of material with the intent to defraud. 
  • Creation or transmission of material such that this infringes the copyright of another person. 
  • Deliberate unauthorised access to networked facilities or services. 
  • Illegal activity including, but not limited to, accessing pornographic images or sites or media which are specifically designed to promote terrorism or which advocates or promotes any unlawful act. 
  • Any activity which jeopardises the security, integrity, performance or reliability of University IT systems including the introduction of malware or attempting to disrupt or circumvent IT security measures. 
  • Any activity which brings the University into disrepute.

Author: Richard Bartlett (Enterprise Security Architect); Version: 1.0; Approved: 9th February, 2021; Next review: Q1 2022
IT information security policy

1. Purpose

This policy sets out the University’s approach to managing its information security objectives (see below). It addresses the governance and operation of IT security and sits above the Staff and Student Information Security policies, which address user behaviour.

1.1. Audience and scope

The audience for this policy is managers and technical staff responsible for delivering IT services to University staff and students. This policy applies to all IT service providers in the University, including Technology and Information Services (TIS) and any other Faculty teams or staff with an IT support or delivery role.

2. Information security roles and responsibilities

Role: Senior Information Risk Owner (SIRO)
Role/title: University Secretary and Registrar
Responsibility: Providing accountability and assurance to UEG that information governance policies, including data protection and information security policies are complied with.

Role: Information Asset Owners
Role/title: Executive Deans Directors, Deputy Vice-Chancellors, members of the Senior Leadership forum
Responsibility: Has accountability and authority to manage the risk; approving the risk treatment plan and residual risk for the risks that they own.

Role: Risk Assessors
Role/title: Privacy Coordinators
Responsibility: Compliance with Data Protection policy, including assessment of information security risk within their organisational area.

Role: Risk Assessors
Role/title: TIS Enterprise Security
Responsibility: Assessing cyber security risk across the University and providing advice on appropriate mitigating measures.

Role: Security Incident Management
Role/title: IT Director
Responsibility: Co-ordinating the University’s technical response to a major or critical information security incident.

3. Information classification

The University Information Classification policy sets a framework for classifying and handling University information based on its level of sensitivity, and its value to the University. Personally Identifiable Information (PII) must be managed and protected in accordance with the University Data Protection and Information Classification Policies.

4. Communications security

4.1. Network controls

Any part of the University that manages their own network or networks on behalf of others, should define responsibilities and procedures to protect information in systems and applications.

University operated wireless networks must be protected using modern authentication and encryption technology ('modern' meaning currently in active development and supported by a vendor or community). Encryption must meet the current FIPS standard at the time of reading.

All connections to University systems should be protected using modern authentication and encryption technology. Where that is not possible a security risk assessment should be carried out and the residual risk accepted by the University.

Network security events should be logged on network routers and firewalls on the University network, and on virtual network infrastructure in cloud hosted environments.

Use of systems connected to the University network via wired, wireless or VPN connection must be authenticated, unless otherwise specifically approved by the institution responsible for managing the network.

4.2. Unauthorised use

Attaching more than one device to any network port by use of network switches, firewalls, routers or wireless access points or any other means without authority should be prevented using technical controls. Use of any software or hardware which causes disruption to the correct functioning of University systems is prohibited under the Student and Staff Information Security Policies. If such disruption does occur the offending device or software should be disconnected from the University network by the institution responsible for managing the network.

5. Access control

Users should only be provided with access to the University information and resources that are required for their role, in line with the University Information Classification and Data Protection Policies. Access should be added and removed to reflect changes in employment status, role and responsibility, and reviewed regularly to ensure compliance with these principles.

5.1. Regular user access control

Role Based Access Control (RBAC) should be used wherever possible to assign access rights to users throughout the account lifecycle, where the role/s associated with the user determines the access they have, driven by data from staff and student information systems.

Any access granted outside the RBAC groups should be reviewed regularly and wherever possible RBAC groups should be modified or created to incorporate that access and minimise exceptions.

All new staff and student accounts should be inactive until the user has been through an identity verification process, at which point the account can be activated, and the user must set their own unique password.

As the status of a user changes within the relevant information system accounts must be either:

  • Deactivated promptly if no longer required, and deleted after no more than three months, or
  • The user’s group membership must be cleared and new group membership set according to the new role.
Owners of sensitive personal identifiable information assets should review the users who have access to those assets regularly.

5.2. Privileged user access control

Staff who require privileged access for the technical administration of information systems must be provided with a separate account for that purpose. Those accounts are only for use where privileged access is required, and not for any routine activity including email or instant messaging and web browsing.

Privileged access to systems must be reviewed by system owners annually.

Role Based Access Control (RBAC) is the default method of assigning privileged access rights based on the responsibilities of that member of staff.

Any privileged access granted outside the RBAC groups must be reviewed as part of the annual privileged account review, and wherever possible RBAC groups should be created or modified to incorporate that access to minimise exceptions.

Technical controls should enforce enhanced authentication measures (including but not limited to increased password length, multi-factor authentication and conditional access) for all privileged accounts.

Access to and administration of systems by privileged accounts must be logged.

6. Protection from malware

6.1. Security awareness

The University Induction Policy requires all staff to complete Data Protection and Information Security Training at the start of their employment, and every two years thereafter. This training includes information on how to stay safe online and avoid viruses.

6.2. Controling software installation and use

Staff should not have administrative access to desktops and laptops unless their role requires it. Where administrative access is required it should be actively managed, proportionate to user need, wherever possible time limited, and subject to annual review.

6.3. Malware detection

The Student and Staff Information Security Policies (see above) require that all personal computers which store or process University information must be protected using up to date anti-virus software, and updated frequently with the latest operating system and application patches and updates. University computers must comply with the same requirement, and wherever possible anti-virus and patching should be managed by IT to ensure compliance.

Email services used in the University must have built-in malware protection to prevent the transmission of viruses contained in both inbound and outbound messages.

7. Management of technical vulnerabilities

7.1. Inventory of assets

All University server and endpoint (desktop and laptop) assets should be recorded within an IT asset inventory which should be maintained and regularly reviewed by the responsible IT team to ensure it is accurate.

7.2. Identifying vulnerabilities

Appropriate information resources to identify vulnerabilities should be maintained for all assets in the inventory and updated in line with changes to the inventory.

TIS is responsible for the identification and monitoring of vulnerabilities and advising the University on the level of risk presented and the appropriate corrective action. To that end, TIS may audit networks and systems to ensure compliance with this and other University policies relating to information security and regulations.

7.3. Reacting to vulnerabilities

A process for assessing the risk of identified vulnerabilities and implementing the appropriate corrective actions (patch, mitigate or workaround with a technical control) should be documented. This documentation should include roles and responsibilities, and how actions are recorded for audit and review purposes.

High-risk or critical security updates for operating systems, firmware and applications must be installed as soon as possible, and within 14 days of release for all systems within the scope of the University of Plymouth Cyber Essentials Compliant Network.

Medium to low-risk updates should applied automatically on a regular cycle, and ideally within 30 days.

7.4. Monitoring vulnerabilities

A process for confirming that all network and server infrastructure is compliant (has the most recent updates installed) should be documented. That process should include the escalation of any servers which are non-compliant to the appropriate persons for corrective action.

8. Backup

All data should be backed up according to its value to the University, the cost of recreating the data, any financial costs or penalties which might be incurred as a result of data loss or corruption, and the risk of data loss or corruption.

The primary purpose of data backup is to allow the Faculty or Service to continue its activity after a data loss incident, by retrieving some or all of the data lost, ideally from a point in time backup taken within the last 24 hours.

All backups should meet the following minimum requirements:

  • It has been designed to meet the recovery time and recovery point requirements of the Faculty or service.
  • It is physically secured against theft.
  • It is sufficiently resilient that failure of a single hardware component would not result in data loss.
  • It is held separately from the original data storage location such that it would be unaffected by hardware or software failure or physical/environmental incidents (e.g., fire or flood).
  • It is protected from unauthorised access through technical controls and as far as possible physical separation from the original data storage location (to prevent destruction in the event of a security incident, e.g. ransomware). 
  • It is tested at least annually to ensure the data backed up could be used in the event of a data loss incident.
Suitable backup locations include cloud based backup services, tape libraries and mirroring to resilient disk storage. Portable backup devices are not suitable for backup of PII or data where loss would result in significant cost to recreate or disclosure would result in financial penalties due to breach of legislation or regulation

9. Cryptographic controls

Business information should be protected wherever possible by modern encryption at rest and in transit, and at all times for information classified as Level 1 (i.e., Confidential; see University Information Classification Policy). This includes data servers and on desktop computers and laptops.

Where it is not possible to provide this protection, this must managed as an information security risk, and reviewed at least annually.

Backups should be encrypted to prevent unauthorised access or modification.

Wherever possible key management should be used to centrally provision and manage access to encryption keys and secrets, to prevent data loss in the event of key loss. Responsibility for cryptographic controls on servers, desktops and laptops should be clearly defined.

10. Physical and environmental security

Areas where sensitive or critical information is processed should be given an appropriate level of physical security and access control as detailed below. Staff with authorisation to enter such areas are provided with information on the potential security risks and the measures used to control them.

10.1. Low criticality systems

Normal building access and control procedures are adopted.

10.2. Medium criticality systems

Facilities are in defined locked rooms to which access is controlled by key, card or code. Delivery personnel and visitors must wear visitor badges and be supervised.

10.3. High criticality systems

Facilities are in specially designated areas with walls and doors of solid construction, security alarms, and access controlled and recorded by an electronic system. Deliveries and enquiries are to separate areas and visitors must wear visitor badges and be accompanied at all times.

11. Supplier relationships

Responsibility for the management of supplier relationships should be clearly documented.

Cloud service providers and third-party software suppliers should by default have no access to University data, including administrative accounts on systems. Data is protected by access control and encryption, with the encryption keys being managed and controlled by the University. Non-Disclosure Agreements (NDAs) shall be used in all situations where the disclosure of Confidential or Restricted to a Cloud service provider or third-party software supplier is deemed necessary and appropriate.

Supplier access to systems should only be allowed when authorised by the University as part of a technical support call or planned maintenance activity, provided on the principle of least privilege, audited and logged. Where necessary, supplier access will be accompanied or observed in order to ensure compliance with University policy.

12. Information security incident management

Any part of the University that manages their own network or systems, or manages networks or systems on behalf of others should establish Incident Management procedures to ensure a quick, effective and orderly response to information security incidents. Those procedures should identify the individual or team responsible for responding to information security incidents.

12.1. Identifying security events

Information security events reported by service users or triggered by monitoring and management systems should be recorded. Those events should be assessed by staff with the appropriate skills and experience (or an appropriate third party), and decision made whether those events are classified as an information security incident

12.2. Responding to security incidents

Information security incidents should be recorded as such and responded to according to the institution’s documented incident management procedures. Any knowledge gained from analysing and resolving those incidents should be recorded and used to reduce the likelihood or impact of future incidents.

Any evidence gathered during the incident response process should be appropriately recorded, and as far as possible original evidence should be preserved as per ACPO guidelines and ISO/IEC 27037.

The institution's incident management procedures should include appropriate escalation guidance, such as for internal escalation (including to TIS, Legal, HR, Finance and the Media and Communications Team), and for reporting to the relevant authorities (Jisc, Action Fraud, and the South West Regional Cyber Crime Unit).


Author: Richard Bartlett (Enterprise Security Architect); Version: 1.0; Approved: 9th February, 2021; Next review: Q1 2022

 

Study information security at University of Plymouth

Cyber security is now widely recognised as an international priority, with hacking, malicious code, and data theft being just three of the many reasons why it's vital in the design, development and implementation of today’s IT systems. Our courses deliver a view of security threats and solutions, alongside an essential background in wider IT topics.

Find out more about our courses:

If you have discovered a vulnerability or weakness within our network, please report it to the Enterprise Security Team.

Phone: +44 1752 588 588

If you want to report an information security incident, please contact the Enterprise Security Team.

Phone: +44 1752 588 588

If you have any ideas or suggestions regarding our information security, please share them with us!

Email: infosecurity@plymouth.ac.uk