Policy information

  • Responsibility of: IT Services
  • Approval date: November 2022
  • Review date: November 2023
  • Approved by: IT Steering Group

Contents

Information security policy (including acceptable use policy) for staff

This information security and acceptable use policy for staff sets out what you must and must not) do in order to protect both your and the University’s information from unauthorised people accessing, changing or deleting it.

A group of staff outside Weston Hall celebrating the NSS results.

Introduction

This information security and acceptable use policy for students sets out what you must and must not do in order to:

  • Protect both your and the University’s information from unauthorised people accessing, changing or deleting it.
  • Ensure that the equipment, services, systems and networks made available to students and staff to support them in their studies and research, and to administer the functions of the University, are used in a way that is acceptable, safe and appropriate.
  • Everyone should read and follow both this and the data protection policy.

This policy is for students. There is another page with the policy for staff, managers and system owners.

If you have questions about this policy, or wish to report a security concern, call the IT Service Desk on 0300 111 4895. They are available 24 hours a day, seven days a week.

IT Support

For technical support, email ITServices@uwl.ac.uk or call 0300 111 4895 (2222 from a university phone).

Girl looking at laptop and two other females looking at their mobile devices
  • Responsibilities for information security

    We are all responsible for information security, for data protection and for using University provided services and equipment responsibly.

    Some people and groups in the University have additional responsibilities set out below:

    • The Vice-Chancellor’s Executive (VCE) has the ultimate accountability for implementing information security at UWL and owns the overall risk management process, including the prioritisation and acceptance of risks. This policy has the full support of VCE and all students and staff are expected to follow it.
    • Heads of Schools and central service departments have responsibility for managing risks within their authority (or escalating) and operating in line with the expectations of VCE.
    • Governance bodies like the Audit & Risk Committee of the Board of Governors (ARC), the Information Governance Group (IGG), the IT Steering Group (ISG) and IT Consultative Group (ICG), along with the internal audit programme, help identify risks to the University and provide advice to the Vice Chancellor’s Executive.
    • System owners are responsible for ensuring that information security and data protection are baked into the systems they own by design and default.
    • Managers of UWL staff are responsible for ensuring the data their teams work with and are responsible for is protected.
    • The Information Security Manager leads the information security function with the support of the Chief Information Officer and colleagues in the IT Services team.
  • Reporting a security concern

    All students are responsible for promptly reporting any concern they have about information security.

    Students should report concerns to the IT Service Desk, their personal tutor, the Information Security Manager or Student Services.

    To report a security concern, call the IT Service Desk on 0300 111 4895. They are available 24 hours a day, seven days a week.

    If you suspect there may have been a personal data breach (see below) then you must follow the University data breach reporting process and report your concerns immediately to the Information Security Manager or Data Protection Officer. There are legal requirements for the University to respond very promptly to suspected personal data breaches.

    Personal data is any data that is about a living person who can be identified. A personal data breach is any security incident where there is a risk that an unauthorised person accessed, changed or destroyed personal data.

  • Infringement

    UWL will investigate complaints received from both internal and external sources about any infringement of this or related policies. In support of this process a technical investigation may take place. UWL may choose not to investigate anonymous or verbal complaints.

    If UWL believes that unlawful activity has taken place, it will refer the matter to the police or other enforcement agency. If UWL believes that a breach of a third party’s regulations has taken place, it may report the matter to that organisation.

    The involvement of external authorities will not prevent UWL from taking appropriate action in accordance with the university’s regulatory framework.

    All students must adhere to this policy. Serious breaches of this policy may be a breach of the student code of conduct and lead to disciplinary procedures.

Dos and don'ts

Graphic of a white tick against a green circle background

Do

  • Do use a strong password: three random words in mixed case separated with punctuation.
  • Do change your password if you think it is compromised, and at least once a year.
  • Do back up your important data, eg to UWL OneDrive and a USB disk.
  • Do tell someone (personal tutor, IT Service Desk) if you have any security concerns.
  • Do check your email regularly for security advice and alerts from IT Services.
  • Do watch out for phishing – online scammers pretending to be someone else.
  • Do be considerate of fellow students and staff when using IT systems and equipment.
  • Do read and follow this policy (and the data protection policy).
Graphic of a white cross against a red circle background

Don't

  • Don’t tell anyone your password or write it down where someone could see it.
  • Don’t leave a UWL open access PC unattended while you are logged onto it.
  • Don’t get content from “dodgy” sources – they’re full of malware and other nasties.
  • Don’t waste resources, for example by printing unnecessarily or sending bulk emails.
  • Don’t attempt to bypass security systems, for example by turning off antivirus.
  • Don’t unplug, modify, move or remove any University equipment.
  • Don’t try to access, modify or delete anyone else’s data without their permission.
  • Don’t assume information security is an “IT thing” – we all have a vital part to play.

Personal activity, equipment and services

We recommend you do not use UWL services or equipment for personal use. Keeping University and personal activities and data separate will improve your work/life balance and is more secure.

But if you do, you must:

  • Follow all University rules, regulations and policies, as well as the law
  • Keep personal use reasonable and to a minimum
  • Always give priority to University work

And you must not:

  • Expose the University to information security risks or excessive costs
  • Use UWL services or equipment for commercial or for-profit activities or to compete with University business

UWL does not accept any liability for damage or loss of any nature caused by the use of UWL services or equipment for personal activity. This exclusion does not apply where personal injury or death is caused by the University’s negligence.

You may want to use your own personal devices for your University work. This includes mobile phones, tablets and desktop and laptop computers.

If you do, you must:

  • Protect your devices with a password, six-digit PIN code or biometrics
  • Run up-to-date and supported versions of your operating system and applications – turn automatic updates on
  • Use an antivirus product – both Windows 10 and Mac OSX have anti-virus built in

But also, you must not:

  • Plug any personal device into the UWL network – use Eduroam wireless instead
  • IT Services will help you get your personal devices connected

UWL reserves the right to inspect personally owned devices that connect to our systems to ensure they are secure and to deny access if they are not. This may require installation of a local device management agent. Users unhappy with this should not use their personal devices for UWL activity.

Prohibited activities

Graphic of a white cross against a red circle background

All students must follow the rules below at all times:

  • Do not access, create, download, store or transmit anything which is indecent, offensive, defamatory or extremist.
  • Do not access, create, download, store or transmit anything which is discriminatory or encourages discrimination on the basis of racial or ethnic grounds, or on grounds of gender, age, sexual orientation, marital status, disability, political or religious beliefs.
  • Do not do anything that is illegal or with the intent to defraud.
  • Do not do anything with the intent to cause harm, annoyance, inconvenience, distress or needless anxiety.
  • Do not do anything with the intent to disrupt or damage the work or data of other users or attempt to access or modify that data without their permission.
  • Do not jeopardise the integrity or security of UWL services, networks or equipment, for example by deliberately or recklessly introducing malware, setting up or using unapproved servers, services, equipment or software, moving or reconfiguring existing UWL equipment, services and networks, or trying to bypass any security systems or controls.
  • Do not infringe copyright or break license agreements.
  • Do not violate the policies of third-party services the University provides, such as Eduroam or Microsoft 365.
  • Do not do anything that unnecessarily takes up capacity or resources. That includes excessive emailing, unsolicited commercial or advertising emails, using excessive bandwidth or wasting paper or electricity.
  • Do not use UWL services, networks or equipment for personal gain or in a way which competes with the University’s business.
  • Do not use UWL services, networks or equipment in a way that conflicts with your obligations to the university or with University rules, regulations, policies or procedures.

Passwords

laptop lock cyber security

Your UWL network password is very important. It gives you access to services and equipment and protects your data throughout your time at the University. You are responsible for everything done using your UWL network account.

  • You must choose a good strong password.
  • You must keep it confidential at all times.
  • You must change your password if you receive a temporary password from IT.
  • You must change your password at least once a year.
  • You must change your password immediately if you think someone might know it.
  • You must not tell anyone – even IT Services – your password.
  • You must not write your password down where someone else could see it (you can store it in a secure password manager app).
An analyst checks through lines of code on a PC monitor

Choosing a good password

The easiest way to choose a good, strong password that is easy to remember is to pick three random words, using a mixture of upper and lower case, separated with a punctuation mark. For example: Horse-Battery-Staple. Your password must:

  • Be at least 10 characters long
  • Contain both upper and lower case letters
  • Contain at least one number or punctuation mark
  • Be entirely random
  • Have no connection to you or the University
  • Not be based on a single dictionary word
  • Not be used anywhere else

Your data

During your time at UWL you will create a lot of data. Keep it safe by regularly backing it up to your UWL OneDrive as well as copying to a USB disk or stick.

You retain all the ownership, copyright and intellectual property rights of data you create with and store in university equipment and systems.

UWL monitors university networks, equipment and services:

  • in order to detect, investigate, and resolve security incidents and system failures
  • in order to investigate alleged misconduct, misuse of facilities, breaches of policy and regulation and risks of harm to staff or students
  • in order to comply with our statutory PREVENT duty to prevent people being drawn into terrorism

Any data you store in UWL services will only be accessed by UWL for these purposes and with proper approval. UWL is acting as a data processor for such data.

UWL will comply with lawful requests for information from law enforcement and government agencies for the purposes of detecting, investigating or preventing crime and ensuring national security.

You must not attempt to monitor or scan UWL networks, equipment or services yourself. If cyber security is the subject of your teaching or research, special arrangements will be made.

When you finish or defer your studies and leave UWL, your accounts will be automatically disabled after a grace period. Your data only kept for a short period after that, so it is important to make copies of anything you need to keep beforehand.

Web filtering

UWL strongly support the principles of academic freedom. We want our students to be able to use the web freely as part of their studies.

However, the University has responsibilities under the PREVENT duty to safeguard children and to protect UWL systems and data from harm and cyber-attack.

UWL blocks access to known malicious sites to protect the University from malware, phishing, crypto-jacking and other forms of cyber-attack.

Apart from this, Higher Education (HE) students have unrestricted access to the web using UWL networks.

Further Education (FE) students may be under 18, so their web access is restricted using category-based filters.

Younger students, such as those attending junior college, are not given UWL network accounts and so cannot access the web using the UWL network.

Remember that you must not use the web for anything on the list of prohibited activities, whether your access is blocked or not.

If you need access to a blocked site for your studies or research, ask your lecturer to contact the Information Security Manager to discuss.

Use of filtering in UWL is reviewed by the PREVENT committee on an annual basis.

Need help?

If in doubt, contact IT Services:

Graphic of a white question mark against a blue circle background