Skip to Main Content

Information Security at Staffordshire University

Information Polices and guides

Information Security Systems for Staff

Why is Information Security important?

Data held on IT systems is valuable and critical to the business of the University. We all rely on IT to store and process information, so it is essential that we maintain Information Security.

The purpose of information security policies is to preserve:

Confidentiality

  
Data is only accessed by those with the right to view the data.

Integrity


Data can be relied upon to be accurate and processed correctly.

Availability

  
Data can be accessed when needed.     

Failure to comply with the requirements of these Information Security Guidelines may lead to disciplinary action.

Information Security Management

The implementation of information security throughout the University is the role of the Information Systems Security Group.

Every member of staff is personally responsible for complying with the policy and guidelines.

Response to Security Incidents

An information security incident is an event which may compromise the confidentiality, existence, accuracy or availability of stored information.

You, as a computer user, are responsible for complying with the regulations, and for reporting security breaches.

If you become aware of any security incident that affects you or your colleagues then you should report it. In the first instance contact 3800. The incident will then be logged and passed to the Information Protection and Security Manager for evaluation and possible further action.

Password is Compromised


You discover that someone else has access to your account using your password, or others are misusing passwords.

Hacking Attempt


Systems disable accounts where the wrong password was entered three times. If your account was disabled because someone else was attempting to access it then a security incident has occurred.


Computer Virus Infection


Virus infection that was not detected and cleaned automatically.

Computer Files Missing

  
Unexplained deletion of any file.

Unexplained Changes to System Data / Configuration

  
Any unexplained change to data.

Theft / Loss of IT Equipment

  
A theft or loss is an information security incident if it means that information is lost or made available to others.

Unauthorised People Using or Attempting to Use IT Equipment

  
This particularly applies to areas where sensitive data is processed.           
In general, an Information Security Incident is any event that resulted in, or could have resulted in:

  • Disclosure of confidential information to an unauthorised person.

  • The integrity of the system or data being compromised.

  • Embarrassment to the University.

  • Financial loss.

  • Disruption to information processing systems.    

Passwords

Your password is your main protection against someone else using your account. It enables you to make sure they can't use your account to send an email in your name, access your data, or make changes to your data. All activity on your account is deemed to have been made by you.

You must:

  • Change your password regularly (at least every 60 days).

  • Choose a password that is a minimum of eight alphanumeric characters.

  • Choose a password that cannot be guessed (avoid using your name, children or a pet's name, car registration number, football team, etc).

  • Keep passwords secret.

  • Change your password immediately after you suspect someone knows it.

  • Log out when away from your PC/device.           

You must not:

  • Use the 'Save Password' option in login boxes.

  • Write down passwords in a form that others could identify.

  • Share passwords.

  • Give your password to anyone.

  • Re-use old passwords.

  • Allow anyone to watch you typing your password.   

Physical Security

Data held in electronic form with suitable backups is less vulnerable to loss than paper copy. This includes formal records, documents, course material and assessments. Consider this method of storage whenever possible.

Do:

  • Protect your system from unauthorised use, loss or damage, eg. lock your door when out of office.

  • Take measures to guard it from ground floor windows.

  • Keep portable equipment secure, eg. do not leave it in a car.

  • Position monitor and printers so that others cannot see sensitive or personal data.

  • Keep USB sticks and other media in a secure place.

  • Seek advice on disposing of equipment.

  • Report any loss.

  • Take particular care at home to keep the system and sensitive data secure from other people.

  • Take care not to spill food or drinks over the equipment.

  • Get authorisation before taking equipment off-site.

  • Take care when moving equipment.

  • Log out, shut down or lock the system when leaving your office

  • Switch off overnight.

  • Ensure sensitive or personal data is deleted from internal disks prior to disposal or transfer of desktop equipment.          

Backups

You must:-

Recognise that all forms of data storage are subject to data loss, for example when a disk crash occurs. You must therefore take steps to ensure there are copies of all important data, called backups.

You are responsible for the security of data on your desktop equipment including backups of all important data held on it. Information stored on central servers is backed up regularly by Information Services. Sensitive or personal data is deleted from internal disks prior to disposal or transfer of desktop equipment.

PC Users:

  • Wherever possible, save important data onto centrally managed network drives (the H: drive). These are backed up daily.

  • Take copies of data from your local hard drive (C:) to shared storage (H: drive or similar), removable media (i.e. USB drive) or cloud storage such as One Drive

  • Between backups keep your paper copy of all data entered, so that you can re-input it if necessary.

  • Keep your usb devices or other removable media in a secure location away from the computer. It is no use having these in a desk drawer if the desk and computer are destroyed by fire.

  • Regularly check that another system can read the removable media.           

Macintosh users:

  • If you have access to a centrally managed server, save a copy of all important data onto this area.

  • Take copies of data from your local hard drive (usually Macintosh HD) to external removable media. This could be One Drive, USB Drive or writable CD.

  • Between backups keep your paper copy of all data entered, so that you can re-input it if necessary.

  • Keep your removable media in a secure location away from the computer. It is no use having these in a desk drawer if the desk and computer are destroyed by fire.

  • Regularly check that another system can read the removable media.           
    back to top

Viruses and Malicious Software

Malicious software covers all software which has been deliberately designed to harm computer systems. Such software is spread from one system to another through:

  • email (normally attachments)

  • exchange or download of files

  • embedding into computer games           

The computer systems that use the Information Services standard windows software image are protected automatically using the latest versions of the anti-virus software. However, you should be aware that the anti-virus software cannot automatically detect newly developed viruses. You should therefore take the following precautions to guard against attack:

Staff must:-

  • become familiar with the operation of the anti-virus software and must not change the scanning properties.

  • only acquire software from reputable sources.

  • not load unauthorised software (particularly games) onto their computer.

  • not use unsolicited USB Drives or CD-ROMS received from untrusted sources.

  • not open email attachments from unsolicited or untrusted sources. 

Staff :-

  • using computers (either PCs or Macintoshes) which are not set up using the standard windows image are additionally responsible for the following precautions:

Staff must:-

  • ensure that an effective anti-virus system is operating. (Sophos is available as a free download to Staff)

  • check, at least every month, that they are using the latest version of the Virus Definition Files.

  • configure the anti-virus software so that it automatically scans incoming documents.

Shared access to data

If you set up a shared database or share files / folders on your local disk or in One Drive, then you must ensure that Information Security is not compromised.

You must:

  • Ensure that access is only given to those users authorised to share this data.

  • Take care to remove any global access rights from the share.

  • Decide how this data will continue to be shared in the event of failure or loss of your system.

  • Document the system so that it can be recovered in the event of loss

Legal requirements

All users must be aware of the legal requirements and the University IT Regulations. When you apply for an account on, or use, any University System you agree to comply with all relevant legislation.

In Summary

Data Protection Act 1998

You have responsibility and liability if you process personal data. You must be particularly careful not to disclose personal data to anyone who does not have the right to access it. 

Copyright, Design & Patents Act 1988 

You must not use or copy any software for which there is no software licence. You must not install any software without authorisation. 

Computer Misuse Act 1990 

The following activities are a criminal offence:

Unauthorised access (hacking) 
Unauthorised access with intent to commit further offence 
Unauthorised modification (including introducing a virus)          
Email Policy & Internet Policy 
The University publishes an Email Policy and an Internet Policy which provides guidance for staff.