Information security policy (including acceptable use policy) for staff
Policy information
- Responsibility of: IT Services
- Approval Date: November 2022
- Review Date: November 2023
- Approved By: IT Steering Group
Contents
Jump to each section of the page:
- Introduction
- Dos and dont's
- Personal activity, equipment and services
- Prohibited activities
- Passwords
- Monitoring and data access
- Mobile and remote working
- Recording meetings
- Handling confidential material
- Local administrator access
- For managers
- For system owners
- Help
This policy is for staff, managers and system owners. There is another page for students - information security policy (including acceptable use policy) for students.
Information security policy (including acceptable use policy) for students
This information security and acceptable use policy for students sets out what you must and must not) do in order to protect both your and the University’s information from unauthorised people accessing, changing or deleting it.
Introduction
This information security and acceptable use policy for staff sets out what you must and must not do in order to:
- Protect both your and the University’s information from unauthorised people accessing, changing or deleting it.
- Ensure that the equipment, services, systems and networks made available to students and staff to support them in their studies and research, and to administer the functions of the University, are used in a way that is acceptable, safe and appropriate.
- Everyone should read and follow both this and the data protection policy.
This policy is for staff, managers, and system owners. There is another page for students - information security policy (including acceptable use policy) for students.
If you have questions about this policy, or wish to report a security concern, call the IT Service Desk on 0300 111 4895. They are available 24 hours a day, seven days a week.
IT Support
For technical support, email ITServices@uwl.ac.uk or call 0300 111 4895 (2222 from a university phone).
-
Responsibilities for information security
We are all responsible for information security, for data protection and for using University provided services and equipment responsibly.
Some people and groups in the University have additional responsibilities set out below:
- The Vice-Chancellor’s Executive (VCE) has the ultimate accountability for implementing information security at UWL and owns the overall risk management process, including the prioritisation and acceptance of risks. This policy has the full support of VCE and all students and staff are expected to follow it.
- Heads of Schools and central service departments have responsibility for managing risks within their authority (or escalating) and operating in line with the expectations of VCE.
- Governance bodies like the Audit & Risk Committee of the Board of Governors (ARC), the Information Governance Group (IGG), the IT Steering Group (ISG) and IT Consultative Group (ICG), along with the Internal Audit programme, help identify risks to the University and provide advice to the Vice Chancellor’s Executive.
- System owners are responsible for ensuring that information security and data protection are baked into the systems they own by design and default.
- Managers of UWL staff are responsible for ensuring the data their teams work with and are responsible for is protected.
- The Information Security Manager leads the information security function with the support of the Chief Information Officer and colleagues in the IT Services team.
-
Reporting a security concern
All students are responsible for promptly reporting any concern they have about information security.
Staff should report concerns to the IT Service Desk, their line manager or the Information Security Manager.
To report a security concern, call the IT Service Desk on 0300 111 4895. They are available 24 hours a day, seven days a week.
If you suspect there may have been a Personal Data Breach (see below) then you must follow the University data breach reporting process and report your concerns immediately to the Information Security Manager or Data Protection Officer. There are legal requirements for the University to respond very promptly to suspected personal data breaches.
Personal data is any data that is about a living person who can be identified. A personal data breach is any security incident where there is a risk that an unauthorised person accessed, changed or destroyed personal data.
-
Infringement
UWL will investigate complaints received from both internal and external sources about any infringement of this or related policies. In support of this process a technical investigation may take place. UWL may choose not to investigate anonymous or verbal complaints.
If UWL believes that unlawful activity has taken place, it will refer the matter to the police or other enforcement agency. If UWL believes that a breach of a third party’s regulations has taken place, it may report the matter to that organisation.
The involvement of external authorities will not prevent UWL from taking appropriate action in accordance with the university’s regulatory framework.
All students must adhere to this policy. Serious breaches of this policy may be a breach of the student code of conduct and lead to disciplinary procedures.
Dos and don'ts
Do
- Do use a strong password: 3 random words in mixed case separated with punctuation.
- Do change your password if you think it is compromised, and at least every six months.
- Do back up your important data, eg to UWL OneDrive and a USB disk.
- Do tell someone (line manager, IT Service Desk) if you have any security concerns.
- Do check your email regularly for security advice and alerts from IT Services.
- Do watch out for phishing – online scammers pretending to be someone else.
- Do be considerate of students and fellow staff when using IT systems and equipment.
- Do read and follow this policy (and the data protection policy).
Don't
- Don’t tell anyone your password or write it down where someone could see it.
- Don’t leave your computer unattended while you are logged onto it.
- Don’t get content from “dodgy” sources – they’re full of malware and other nasties.
- Don’t waste resources, for example by printing unnecessarily.
- Don’t attempt to bypass security systems, for example by turning off antivirus.
- Don’t unplug, modify, move or remove any University equipment.
- Don’t share personal data without taking a moment to “STOP, THINK, ASK”.
- Don’t assume information security is an “IT thing” – we all have a vital part to play.
Personal activity, equipment and services
We recommend you do not use UWL services or equipment for personal use. Keeping University and personal activities and data separate will improve your work/life balance and is more secure.
But if you do, you must:
- Follow all University rules, regulations and policies, as well as the law
- Keep personal use reasonable and to a minimum
- Always give priority to University work
And you must not:
- Expose the University to information security risks or excessive costs
- Use UWL services or equipment for commercial or for-profit activities or to compete with University business
UWL does not accept any liability for damage or loss of any nature caused by the use of UWL services or equipment for personal activity. This exclusion does not apply where personal injury or death is caused by the University’s negligence.
You may want to use your own personal devices for work. This includes mobile phones, tablets, desktop and laptop computers.
If you do, you must:
- Protect your devices with a password, six-digit PIN code or biometrics
- Run up-to-date and supported versions of your operating system and applications – turn automatic updates on
- Use antivirus – both Windows 10 and Mac OSX have anti-virus built in
But also you must not:
- Plug any personal device into the UWL network – use Eduroam wireless instead
- Use personal cloud services such as email, file storage or video calling for UWL business
- Store UWL data on a personal device
UWL reserves the right to inspect personally owned devices that connect to our systems to ensure they are secure, and to deny access if they are not. This may require installation of a local device management agent. Users unhappy with this should not use their personal devices for UWL activity.
Prohibited activities
All staff must follow the rules below at all times:
- Do not access, create, download, store or transmit anything which is indecent, offensive, defamatory or extremist.
- Do not access, create, download, store or transmit anything which is discriminatory or encourages discrimination on the basis of racial or ethnic grounds, or on grounds of gender, age, sexual orientation, marital status, disability, political or religious beliefs.
- Do not do anything that is illegal or with the intent to defraud.
- Do not do anything with the intent to cause harm, annoyance, inconvenience, distress or needless anxiety.
- Do not do anything with the intent to disrupt or damage the work or data of other users or attempt to access or modify that data without their permission.
- Do not jeopardise the integrity or security of UWL services, networks or equipment, for example by deliberately or recklessly introducing malware, setting up or using unapproved servers, services, equipment or software, moving or reconfiguring existing UWL equipment, services and networks, or trying to bypass any security systems or controls.
- Do not infringe copyright or break license agreements.
- Do not violate the policies of third-party services the University provides, such as Eduroam or Microsoft 365.
- Do not do anything that unnecessarily takes up capacity or resources. That includes excessive emailing, unsolicited commercial or advertising emails, using excessive bandwidth or wasting paper or electricity.
- Do not use UWL services, networks or equipment for personal gain or in a way which competes with the University’s business.
- Do not use UWL services, networks or equipment in a way that conflicts with your obligations to the University or with University rules, regulations, policies or procedures.
Passwords
Your UWL network password is very important. It gives you access to services and equipment and protects your data throughout your time at the University. You are responsible for everything done using your UWL network account.
- You must choose a good strong password.
- You must keep it confidential at all times.
- You must change your password: if you receive a temporary password from IT, at least once every six months, immediately if you think someone might know it.
- You must not tell anyone – even IT Services – your password.
- You must not write your password down where someone else could see it (you can store it in a secure password manager app).
Choosing a good password
The easiest way to choose a good, strong password that is easy to remember is to pick three random words, using a mixture of upper and lower case, separated with a punctuation mark. For example: Horse-Battery-Staple. Your password must:
- Be at least 10 characters long
- Contain both upper and lower case letters
- Contain at least one number or punctuation mark
- Be entirely random
- Have no connection to you or the University
- Not be based on a single dictionary word
- Not be used anywhere else
Monitoring and data access
UWL monitors University networks, equipment and services:
- In order to detect, investigate and resolve security incidents and system failures
- In order to investigate alleged misconduct, misuse of facilities, breaches of policy and regulation and risks of harm to staff or students
- In order to comply with our statutory PREVENT duty to prevent people being drawn into terrorism
Data accessed for one of the reasons above will be done by authorised persons only, and always in line with the data protection policy and all relevant legislation. You must not attempt to monitor networks, equipment or services yourself without the explicit authorisation of the Associate Pro Vice-Chancellor and Chief Information Officer.
Besides the monitoring described above, data stored in areas assigned to an individual staff member, such as their OneDrive or email inbox, will normally only be accessed with the staff members permission or with the authorisation of the University Secretary and Chief Compliance Officer or, in her absence, a nominated VCE colleague. In an emergency – for example, if there is clear and immediate risk of harm to a student or staff member – authorisation may be given by any member of VCE.
UWL will comply with lawful requests for information from law enforcement and government agencies for the purposes of detecting, investigating, or preventing crime and ensuring national security. If you receive such a request, direct it to the University Secretary and Chief Compliance Officer.
Mobile and remote working
As a UWL staff member you may be issued with a mobile device, such as a laptop, tablet, mobile phone, or portable storage device, allowing you to work off campus. Non-mobile devices such as desktop computers must only be taken off campus with the asset owner’s permission.
Great care must be taken with such devices. In particular, the storage of confidential or personal data on such devices should be avoided as far as possible. When connecting devices to untrusted networks, such as public Wi-Fi, all UWL data MUST be encrypted in transit.
Portable storage devices must only be used when online storage services such as OneDrive or SharePoint cannot be used. They must be strongly encrypted and must never hold the only copy of any university data.
Mobile computing devices must have at least a 6-digit PIN or strong password set and should have full disk encryption enabled where possible.
Such devices must not be left unattended in public spaces or in open areas of the campus, even briefly. They must not be kept in full view in a vehicle, even for a short period of time, and must never be left in the vehicle overnight. When travelling by aeroplane, subject to airline regulations and applicable legislation, devices must be carried in the cabin and not checked in.
If a mobile device issued to you is stolen or lost you must notify the police, your line manager and the IT Service Desk immediately.
When a mobile device is no longer required, or upon termination of the contract on the basis of which the device was issued, the device must without exception be returned to the line manager or asset owner.
Recording meetings
Online meetings should normally not be recorded unless there is a specific necessary purpose and approval has been given by the responsible Head of School, College or service.
The Chair or organiser must advise attendees in advance, and again at the beginning of the meeting, if it will be recorded.
Covert recordings must not be made – doing so may be a disciplinary offence.
If a recording is made to assist with the taking of notes or minutes – which should not be routine practice – it does not replace the formal record of the meeting.
Recordings should not be made to be shared with those who could not attend. A formal minute or oral update should be provided instead.
Meeting recordings by their nature are personal data. Retention periods of no more than four weeks must be set and a legal basis for processing must be determined.
They must be made with, stored securely in and shared using UWL systems only. Sharing meetings should be exceptional and restricted only to specific people who need access.
Staff video training should normally be done as a standalone video rather than by recording a live training session. Never use real or live personal data for training purposes.
See the UWL lecture capture policy for recording of teaching.
See the UWL CCTV policy for the recording of video for the safety of students and staff.
Handling confidential material
In the course of your work at UWL, you may have need to handle confidential material. For example, commercially valuable information, personal data about students or colleagues, or sensitive information that must be restricted to only those staff who need to know it.
Be very careful when handling such material and always be sure to:
- Stop before you handle confidential material
- Think about how you will keep it safe
- Ask if you are unsure
Always put confidential papers in a drawer and either lock or log off your PC, even if only leaving your desk unattended for a moment. On Windows 10 PCs, press the Windows+L key combination to immediately lock your screen.
Always be aware of your surroundings when accessing or discussing sensitive, confidential or personal information. Who can see your screen? Who can overhear your conversation?
Always remove confidential material from printers, scanners and copiers as soon as you are finished.
Always use encryption to protect confidential material when required.
Always dispose of confidential information safely when it is no longer needed, following the UWL records retention schedule. Secure waste bins are available in staff offices for the safe disposal of paper records. Contact IT Services for help with the secure deletion of confidential files.
Never leave confidential material visible at your workspace when you are not present.
Never access confidential material for any personal or unauthorised purpose.
Never allow students access to the student record system.
Local administrator access
Very exceptionally, it is sometimes necessary for a staff member to have local administrator access to their UWL issued computer.
Local administrator rights are a significant risk to the security of the University’s infrastructure and must be handled with great care. It is essential that their password is strong, secure and unique, and if possible, local administrator rights should only be assigned temporarily to allow a staff member to carry out a specific task.
Requests for local administrator access rights must be made in writing. They must include a detailed justification and be approved by the staff members Dean of College, Head of School, or Head of Central Service Department, as well as by IT Services.
If you are granted local administrator rights, then you are responsible for ensuring you do nothing to compromise the security of the UWL network and IT infrastructure. In particular:
- You must not remove or modify UWL provided anti-malware and security software
- You must not remove or modify features which permit IT Services to manage or monitor devices
- You must not make changes to network configuration settings
IT Services will revoke local admin rights if necessary to protect the security of the UWL network and infrastructure.
Manager responsibilities
You must identify the data and processes you are responsible for and accept accountability for their protection.
You must assess relevant business, legal, contractual and corporate social responsibility risks to the activities of you and your team, ensure appropriate controls are in place to manage these risks and regularly test these controls. Background verification checks on candidates and employees, as established by HR, must consider the sensitivity of the information they will access during their work and the perceived risks of such access.
You must ensure you and your team understand fully your responsibilities regarding protecting systems and data and have the skills needed to fulfil these responsibilities. These responsibilities must be part of employment contracts, including responsibilities that remain after termination or change of function.
You must actively, regularly and demonstrably verify what your reports are doing and how systems under their supervision are functioning (with the assistance of IT Services where appropriate).
When a member of your team leaves the University or changes their role, you must ensure that:
- Any non-standard permissions or accesses that they had in their old role are removed
- Any data that your team needs to keep has been copied from their OneDrive, email and computer.
Third parties and contractors
If, as a manager, you make use of third parties or contractors for a particular function, you must ensure that:
- The contractual arrangements with them set out their (and their organisation’s) responsibilities for information security and data protection, including responsibilities that extend beyond the end of the contract.
- Background verification checks, as established by HR, explicitly consider the sensitivity of information to be accessed and the perceived risks from such access.
- They meet all specified requirements for information security and data protection, both on selection and on an ongoing basis.
- They understand and accept their responsibility for their actions in these areas.
- Where a third party uses contractors or sub-contractors of their own, that they are also made aware of and accept their responsibilities in these areas.
If it is necessary to give third parties access to UWL systems, services, equipment or networks, then this must only be granted after
Suitable confidentiality and accountability clauses are included in the contract:
- A due diligence risk assessment has been performed
- IT Services have approved the access
- IT Services have reviewed and approved the technical means by which it is delivered.
Where remote access is required to UWL systems in order to provide support, each individual access must require explicit authorisation from a UWL staff member.
System owner responsibilities
That means:
- Ensuring that the system meets the requirements of this policy and the data protection policy.
- Ensuring information security and data protection are built into the design throughout the life cycle of the system.
- Ensuring that appropriate technical and organisational measures are in place to keep the system secure.
- Ensuring appropriate incident response and business continuity plans, aligned to the UWL incident management and business continuity framework are in place for the system and regularly reviewed and tested.
- Ensuring accounts – both regular and privileged – are managed properly and decommissioned when that user no longer has need of them.
- Ensuring the system complies with all legal and contractual requirements, such as the UK GDPR and PECR.
- Ensuring that systems and data are protected from damage, retained no longer than required, and securely disposed of when no longer needed.
- Co-operating with and supporting internal audit functions.
Security by design and default
When developing a new system, process or service, information security and data protection are a requirement from the beginning. While much of the work may be delegated to IT Services or a vendor, the responsibility for defining security requirements and ensuring the system is protected remains with the system owner.
Systems must be designed so that:
- Users can only access the data and functionality they have been authorised for (the “least privilege” approach)
- Accountability for usage is maintained by audit trails
- Availability is addressed through suitable high availability, business continuity and disaster recovery arrangements
- Regular security testing and review is part of the business-as-usual operation of the system
Each new service requires consideration of the unique risks it presents and the determination of necessary controls.
Systems must adopt the principle of defence in depth by having multiple resilient and redundant security controls in place that will continue to protect data even if one control fails or is bypassed.
Systems should never rely solely on perimeter or network defences, such as the UWL network firewalls, for security.
The default or vendor recommended configuration of a system should be subject to review.
There should be separate development, test and production environments for all business-critical applications, and attention should be given to the protection not just of live data but also test data and approved source/object code.
Web-based services
UWL has adopted a “cloud first” approach to new IT systems, so frequently a new service will be accessed via a web front end, accessible from the public internet.
Before deploying a new web service, systems owners must gain the approval of key stakeholders (such as IT Services and Marketing) and ensure that:
- Data protection legislation is complied with and this has been recorded (via Form D or a DPIA as appropriate)
- The service meets the Public Sector Bodies Accessibility Regulations
- The service meets the ICO’s age-appropriate Design Code
- The service meets PCI/DSS requirements if required
- Published content is licensed
- Content moderation is in place where user generated content is published
- Due consideration has been taken of the impact of the web service on UWL’s reputation, branding and search engine optimization (SEO)
Managing user accounts
A user account is a set of credentials and associated data that allows a specific person to log in to one or more UWL services. The account is used both to authenticate the person (confirm who they are) and to authorise them (confirm what services and data they should have access to).
Access to systems should only be granted on a “need to know” basis, with users having the minimum access required to perform their work.
Systems should be designed so that all activity on the system can be linked to an identified individual’s account.
System owners need to ensure they have documented processes for approving and managing the creation, change, emergency suspension and deletion/decommissioning of accounts and a mechanism for regularly auditing this process to confirm it is working.
All accounts in a system must be secured with a password or comparable authentication method.
Password strength rules should be implemented, requiring:
- Passwords be at least 10 characters long
- Passwords contain a mixture of at least three of upper-case letters, lower case letters, numbers and special characters such as punctuation marks
- Passwords do not contain the users name or username or other common weak passwords
Multi-factor authentication (MFA) should be enabled if available.
Managing privileged accounts
A privileged account is one which has additional permissions above and beyond what is provided to a “normal” account on the system. By their nature they are higher risk and must be protected accordingly. All privileged access to systems must be traceable to an individual and, if technically possible, logged in a way that prevents the privileged account altering it.
Privileged accounts must never be used to perform tasks that a non-privileged account can do. if one staff member needs to perform both privileged and non-privileged then they should either have multiple accounts assigned or, if supported by the system, use an account that is normally running without privilege but can be temporarily elevated when required.
Individuals with privileged accounts have been placed in a position of trust and must follow all applicable laws, regulations, policies and procedures.
As with all accounts, there must be documented processes for approving and managing the creation, change, emergency suspension and deletion of privileged accounts, and a mechanism for regularly auditing this process to confirm it is working. Approval for a privileged accounts creation must be given by the system owner.
Systems are often supplied with pre-defined, generic privileged accounts, such as "admin", “superuser” or "root”. If possible, these should be disabled and separate privileged accounts, assigned to named administrators, used instead. Where these accounts must be kept active, their password must be immediately changed from the default, and if possible, the username should also be changed. If any member of staff who knows that password leaves, it must be immediately changed and recirculated.
Licensing and patch management
All software used in UWL (including free or open-source software) must be correctly licensed, supported (by either the vendor or a third party) and have security patches applied in a timely manner.
Patches whose severity is rated by the vendor as CRITICAL or HIGH must be installed within 14 days of release. Other patches MUST be installed within 28 days of release.
Where a vendor does not indicate severity with a CRITICAL-HIGH-MEDIUM-LOW ranking, reference may be made to the Common Vulnerability Scoring System (CVSS); but otherwise, such patches will be treated as CRITICAL.
If there is a business critical need to continue to run unsupported software, mitigating controls, such as network segmentation, must be put in place and documented in order to ensure that the University is not exposed to unacceptable risk.
Need help?
If in doubt, contact IT Services:
- Telephone: 0300 111 4895
- Telephone: 222 from any University phone
- Email: ITServiceDesk@uwl.ac.uk