Personal Responsibilities for Electronic Information Security

Introduction

Information – some definitions

How to keep our information safe

Acceptable/Unacceptable Use

Snarling Dog

Introduction

The purpose of this document is to give you advice about keeping electronic information secure. It highlights the risks of unauthorised access or loss of data, and provides guidance to help you protect the data and information you use at the University. If you suspect the security of your information has been breached, please report it to the IT Service Desk on ext. 2000. This document should be viewed within the broader context of the University’s Electronic Information Security Policy (http://www.wlv.ac.uk/PDF/its_info_security_policy.pdf, which defines how the University will secure electronic information.

Information – some definitions & principles

Corporate Data is…

Any data which is business critical and may be confidential or highly confidential, this broad definition covers both finance and personnel records in addition to other data which is of a sensitive or protected confidentiality agreement. Processing and handling data includes storing or processing data on a PC/ laptop/mobile device as well as storing data on removable data such as CDs or USB drives.

Personal Data is….

Any data that can identify a living person, e.g. names and addresses. Such information should only be stored in the appropriate Corporate System (e.g. Personnel, Payrolls, Student Record System) and is subject to legal protection. University staff are obliged, under the terms of the Data Protection Act, to ensure that appropriate security measures are in place to prevent any unauthorised access to personal data, whether this is on computer or on paper. This includes transferring information via digital communication technologies including Wi-Fi and email.

Confidentiality

Personal or commercially-sensitive data should not be taken or sent outside of the University unless authorised and in accordance with University policy. Confidential data should not be shared with outside agencies or partners unless an existing confidentiality agreement is in existence; even in these cases confidential data should never be transferred in plaintext and as a minimum security measure PowerArchiver should be used to Zip files with password protection.  


How to keep our information safe

Burglar

Protect your computer or portable storage from theft

  • Store data in your My Documents folder only and not directly on the PC’s local hard disk. On University PCs, saving to your My Documents folder stores your data in a secure central personal file store. When you log on to the network, this synchronises with your PC or laptop, meaning that you will still have password-protected access to your data when not connected to the University network.
  • Lock your office if you are the last to leave.

Laptops are particularly at risk, so we recommend the following:

  • Never leave your laptop unattended. A computer lock can be used to secure your laptop while you are away. Laptops should be stored in a locked filing cabinet.
  • When ordering a laptop, purchase insurance from the supplier cover for it. University insurance does not cover laptop losses.
  • Avoid using obvious laptop bags or a bag with the computer company’s name on it.
  • If the nature of your work requires that store data on the local hard disk rather than your personal file store, make sure you back-up critical files frequently and store backup media securely. 
  • Take advantage of password locking features – see your laptop manual for details.
  • Keep your laptop away from accessible windows
  • Record the make, model and serial number of your computer and devices associated with it, and keep these separate from your laptop.
  • Report any theft of your laptop immediately to Security, and/or the Police. Notify your line manager of any sensitive corporate that was held on the device. Call the IT Service Desk for further advice.
  • And if you are travelling with your laptop:
  • Do not leave your laptop visible in an unattended vehicle. Lock it in the boot of the vehicle or take it with you.
  • Keep it with you at all times where possible.
  • Make the bag stand out from all other bags. An unusual colour or bright labels attached to the bag make it easier to locate.
  • When flying, keep your laptop as hand luggage.
  • Use the hotel safe to store your laptop when away from your hotel room.
  • Save documents to your personal file store on a frequent basis. If this is not available, e-mail them to yourself, or copy them to another disk/device, keeping the disk/device securely but separate from the laptop.

Traveller with laptop bag

Protect your information from loss or accidental damage/deletion

The majority of serious data breaches involve the loss of removable media such as USB sticks. Most removable media is easy to lose, you are advised to purchase encrypted USB sticks if you intend to use this type of media for storage of University data.

Advice:

  • Don’t put sensitive data onto temporary or portable media.
  • Use an encrypted USB memory stick if you need to store sensitive data on a portable device.
  • If you do use portable media for backup, store it in a secure location.
  • Activate your mobile phone security – check your phone’s manual for advice on how to do this.
  • Treat portable media as you would treat a laptop.
  • Store your information in your personal file store or, if available/appropriate, a shared area on a central server. Data held in these locations is regularly backed up. In the event of a hardware or system failure, the data will be restored. However, if you accidentally delete your data, you won’t be able to get it back.
  • Keep a backup of any important files you are working on, even if they are stored on an IT server, to guard against accidental corruption or deletion.

Padlocked PC

Prevent unauthorised user gaining access to your computer’s hard disk

  • Store your files in your personal filestore (“My Documents” if you have the Windows Secure Desktop), which only you have access to.
  • Always lock the screen/keyboard on your PC before you leave it unattended
  • Do not share passwords.

Password image

Prevent an unauthorised user gaining access to data by using your password

  • Choose your password carefully. Avoid words in the dictionary, or words or numbers that someone might guess, e.g. your car registration number, NI number, partner’s name or date of birth. Passwords are harder to break if they include numbers and/or punctuation. You could also run two short words together, or use an acronym - made by taking the first letter of every word of a memorable phrase.
  • Writing your password down should be avoided, but if you do have to write it down, store it in a private place, such as your wallet or purse.
  • Do not tell anyone your password.
  • Do not let ANYONE else use your ID and password, even for what you think is a legitimate business need. This is a potential disciplinary offence.
  • The security of your password is your responsibility. If you think someone else knows it, contact the IT Service Desk on ext. 2000 for advice on changing it.

At symbol

Protect information on your UNIVERSITY computer from hackers

  • Don’t install software on your PC unless it comes from a known, reputable source.
  • Make sure you have anti-virus software running on your PC and that it is being updated regularly. If you think it isn’t, check it with the IT Service Desk on ext. 2000.
  • Be careful about the web sites you visit and do not download or attempt to install any software or software “plug-ins” unless you are confident of the source/supplier. Remember also that there may be licensing implications e.g. software that is free for personal use may not be free in a commercial environment.
  • Do not follow links in unsolicited emails or respond to requests for personal or business details – even if these seem legitimate. They are most likely not. 
  • Ensure there are no “back doors” into your PC; do not connect a modem to your PC at the University, do not install “remote control” software.
  • Do not set up a wireless network. Wireless networks should only be set up with IT Services’ involvement, using equipment known to work with the security systems already in place. See the IT Services website at http://www.wlv.ac.uk/its/default.aspx?page=7019 for more information.

Cartoon picture of hacker

Protect information on your HOME computer from hackers

This is a risk where you are accessing University IT facilities remotely from home using your own computer, or taking files home to editing on your home PC. Please note that IT Services do not support home PCs – the advice given is general good practice, dos and don’ts. 

  • Ensure that your Windows PC is set up to download and install critical software and security updates and that your Windows Firewall is switched on. Controls for these can be found in the Control Panel or right-click My Computer>Options.
  • Ensure that your PC is running anti-virus and anti-spyware software and that it is being updated regularly. Staff and students of the university are entitled to use F-Secure Anti-Virus software on home PCs.
  • Do not run as administrator of your own machine – set up a separate admin user and password for making changes or installing software.
  • Ensure there are no “back doors” into your PC. Do not allow remote connections to your PC (note this is set to ALLOW as default). These setting can be changed from My Computer>Properties.
  • Be very careful about the web-sites you visit. Some websites will try to install malware on your PC as soon as you visit them.
  • Do not store University business data on home laptops or desktops.

Image of person using computer at home

Secure your HOME Wireless Network from hackers

If you have a wireless network at home, make sure you take steps to make it secure. Many wireless networks are not secure out-of-the-box ; please read the manual to find out how to secure it. If you are not sure about some of the terms used below, you probably shouldn’t be setting up a wireless network. Seek advice from the retailer or the supplier’s support.

  • Change your wireless router’s username and password to something other that “admin” and “password” – unbelievably many are shipped with such defaults that are simple to guess.
  • Use wireless encryption such as WEP, or preferably WPA, to secure your network. This requires you to define a passphrase and/or generated key for access to your network, which you then share with people as required.
  • If possible, set your router up to prevent access by unidentified computers by registering the MAC addresses of those that you want to allow on your network.
  • Don’t broadcast your SSID as this makes your network visible to all wireless devices.

Image of virus

Protect your computer from viruses

  • Ensure that your PC is running a virus checker, and that it is being updated regularly. If you think it isn’t, check it with the IT Service Desk on ext. 2000.
  • Never delete a file if you are told to by an email – even if it appears to come from IT Services or a legitimate source like Microsoft.
  • Do not click on web links in unsolicited emails or provide and personal information via such links.
  • If you are not sure what to do, phone the IT Service Desk on ext. 2000 and ask for advice.
  • Never circulate instructions on what to do about a virus. Instructions can often be hoaxes and can include instructions to delete important files.
  • Always ring IT Services on ext. 2000 to report a virus alert if you receive one.
    Further advice on protecting your computer from viruses can be found on the IT Services website at http://www2.wlv.ac.uk/its/selfhelp/help/virus/HowtoProtectYourComputerfromViruses.asp.

Picture of girls whispering

Keep confidential information confidential

  • Make sure you have permission to store and manipulate confidential or sensitive information. Business critical data should not be stored on home computers, iPhones or any unencrypted removable media.
  • Encrypt any confidential information that you are authorised to send outside of the University. Also ensure any confidential data being transferred by partner agencies to the University complies with the data encryption requirements suitable for this type of data. Please see the IT Services website at http://www2.wlv.ac.uk/its/selfhelp/help/powerarchiver/PowerArchiverHelp.asp. Do not send unencrypted confidential information by email. Email is not a secure means of transmitting confidential information. Please see the IT Services website for tips on keeping your email secure and protecting yourself from phishing attacks.
  • Do not let anyone see confidential information on your screen. You should be aware of how open your working environment is, and whether your computer screen is visible to visitors or students, for example.
  • Print to MFD printer wherever possible as these require that you authenticate yourself before your documents are printed. If printing to an open printer, always collect your output from the printer straight away.
  • Dispose of confidential waste according to your School or Departmental policy.

Stack of CDc

Avoid duplication of corporate data

There should only be one copy of corporate data at any one time with perhaps a backup copy. Additional copies of data can lead to disparity and inaccuracies.

  • If you need to share data, shared drives and public folders are useful storage facilities and using these will avoid duplication of information.

  • Databases. The creation of databases using software such as MS Access to hold information already contained in the University corporate systems (e.g. the Finance System, SITS or Personnel) should be avoided. If you think you need to do this, contact the IT Service Desk for advice. The retention of data – particularly personal and sensitive data (e.g. A student record with their grade) needs to be accurate and auditable and is protected by legislation. If you hold unauthorised data about other people, then YOU PERSONALLY may be in contravention of the law.

Photo of lecture theatre

Do not put lecture notes on a personal website

  • Lecture notes and other learning materials should be put on WOLF, rather than on a personal website. All websites containing learning materials or information for students must conform to accessibility legislation and most unofficial websites don’t. You should not publish learning materials or related information on your own website.


 

Acceptable/Unacceptable Use


Use of University IT Resources is subject to the adherence to the JANET Acceptable Use Policy (http://www.ja.net/documents/publications/policy/aup.pdf) and the University’s ICT Acceptable Use Policy and Policy on using University IT Resources. These can be found in the Regulations and Policies section of the IT Services website at www.wlv.ac.uk/its/services.

University resources should only be used for legitimate work or research purposes. If the nature of research appears to contravene any legislation, code of practice or other terms of conditions referred to in this document, arrangements can be made to accommodate this. For example, legitimate research into x-rated sites might mean authorisation by a Dean of school and special facilities being arranged to avoid any offence to other users. It is important that special arrangements are made in advance as the use of “legitimate research” as an excuse after the fact will not be accepted.


For further advice about anything mentioned in this document, please contact the IT Service Desk on ext. 2000, or 01902-322000 from outside the University.

University of Wolverhampton
IT Services
Disclaimer and copyright statement


Date: 7th November 2011
Last reviewed: 7th November 2011