Following are the specific Policy components which have been agreed by the University.
- Information Security (applies to ALL Information Security – both electronic and hard copy)
- IT Network Security (covers the IT Network Security – managed by IT Services)
- IT Server Security (covers IT Server Security – managed by IT Services)
- IT Access Control (covers IT User Access Security – managed by IT Services)
- Required response to Information Security Breaches Incidents
3.1: Information security policy
Information confidentiality requirements
The University has an overall obligation to protect the information it uses from inappropriate access, release or publication in compliance with the Data Protection Act
This extends to our obligation to any ‘data subject’ not to disclose or expose their personal data to third parties without their consent. Unauthorised disclosures will breach the Data Protection Act 1998, and may give rise to legal action by the data subject and the Information Commissioner.
Personal data may only be used for the purpose for which it was originally collected. At the point of collection the data subject must be informed of the reason for the collection, the use the data will be put to and how long it will be kept for. Any changes to these must be subject to written approval from the data subject. Personal data may not be collected for one purpose and then put to another use without the informed consent of the data subject.
Great care is required when dealing with a request to make an information disclosure about a person.
The requirement not to disclose without the informed consent of the data subject extends to those who, for example, are, or claim to be, the parents, guardians, employers, or National Government representatives of Students.
Such requests should always be made in writing and, where there is any uncertainty, referred to Legal Services for a decision.
Personal data may be disclosed to other University staff, provided that the information is required for the performance of their official duties. Staff with such access privileges may not make use of that data for purposes other than official University business.
This obligation extends to ensuring that access to stored personal or sensitive data is restricted to only those staff for whom access is essential in order to fulfil their duties. By virtue of this obligation, such data should never be placed or left exposed in a general staff or public shared area (either physical or electronic)
Personal Data may not be disclosed to external persons (including relatives) or organisations without the subject’s prior informed consent unless its release is required in order to prevent a crime, or in order to comply with a legally enforceable instruction (such as a court order).
Disclosures may also be made in emergency life or death situations.
Specific Policy areas are provided in the further sections below and you must familiarise yourself with the content of these and use them as points of reference to follow as they relate to your work.
For further information about the law that these specific Policy areas are based upon, see the Data Protection Act.
Members of Staff are required to undertake appropriate training before using University Systems and Services, and Line Managers are required to ensure that this happens as part of a new member of Staff’s induction. Part of this training includes ‘essential’ Data Protection Act training which ALL members of Staff must undertake and familiarise themselves with purpose behind the eight principles of the Act.
This training must also be ‘refreshed’ bi-annually. Anyone not having completed this must raise this requirement with their line manager or with HR.
Dependent upon their role, some staff may need to examine the requirements of the Act it in greater depth.
If you need more detailed advice relating to something you are working on, please contact Legal Services.
3.2: The University IT data access control policy
The purpose of this is to ensure that access to both electronically stored University Information, and to University IT Assets which underpin that information, is restricted appropriately to those that need it to fulfil their role duties and obligations. It further aims to ensure that such access, once given, remains restricted only to those individuals for as long as they are required to fulfil that role.
This is best achieved by ensuring that a user’s responsibilities to properly protect the access privileges allocated to them are fully explained, documented, understood and then properly observed.
The policy covers all University systems and services including computer systems and electronic communication systems. It applies to ALL users of those systems and services (employees, students, contractors, partners and other external agents) who are provided with University IT Service privileges.
IT data access policy – specific requirements
University Management are required to ensure that all IT data and voice systems, along with the supporting procedures and processes, meet the requirements of the Information Security Policy by:
- Ensuring that access to system components is strictly limited on a ‘least privilege’ basis to those persons for whom it is essential in order for the duties, obligations and functions of the University to be met.
- Maintain records of access privileges allocated to individuals
- Ensuring that procedures are in place for reviewing existing access privileges after a role or system change in order to confirm that access either remains appropriate or, if not, that it is removed
- Ensuring that appropriate secure authentication controls exist on all computing and communications hardware and software or on any external computing services employed
- Ensuring secure procedures are in place for setting and changing passwords
- Ensuring appropriate controls are in place for the issuing of passwords
- Ensuring guidelines are in place for the composition of passwords
- Ensuring procedures are in place for dealing with the misuse of passwords or credentials
- Preventing unauthorised access through lack of passwords or through weak or uncontrolled passwords
- Ensuring that passwords allocated are set in accordance with the password guidelines
- Detecting the misuse of passwords
- Removal of access rights on termination of contract with the University and the removal of all associated data in agreement with the appropriate line manager or departmental head.
Systems acquired, leased, designed, developed or purchased are required to meet appropriate minimum access control standards
All systems storing confidential, personal or sensitive information must:
- Identify the user as someone authorised to use the system
- Be securely password protected (i.e. the password should not be capable of being intercepted or interpreted)
- Passwords should be:
- At least 8 Characters long (and should cater for longer passwords)
- Complex, containing a suitable mixture of letters, digits and punctuation marks
- Be automatically locked after 20 or less consecutive failed login attempts
- Capable of reporting repeated Login failures as event alerts
- Be subject to a forced change after a pre-set period
- Not be passwords that the user has previously used
Where the data stored is confirmed to not comprise confidential, personal or sensitive information, only requirements 3a & 3b above are required as a minimum.
These requirements should be automatically verified and controlled by the system in question.
- Have had the appropriate classified data (e.g. confidential, personal, sensitive etc.) to be held within a new system/service confirmed with the University’s Legal Services Group – they may wish to record the system as a data repository which they need to be aware of. There will be a requirement to document how such data will be validated, how information changes will be controlled and audited and which job roles will have access and what level of access.
- Where there is a need for different levels of security within a system (e.g. manager’s level, administrator’s level, user level etc.) it is a requirement to be able to assign appropriate permissions to individual user accounts so that only those system access privileges which are necessary for them to carry out their duties can be used by them.
- A system administrative function (e.g. adding or removing users or adding/changing other user’s passwords) requires a separate login and should not be capable of being carried out by a normal user. However any user should be able to change their own password from within their system account. Administrative users should not be able to view any user’s password.
- In order to obtain an account and password for a system a member of staff must have prior authorisation from an appropriate Information Custodian for the system (there must be a process to ensure this).
Use of contractors
No data either collected, or generated, by the University for any purpose may be placed (permanently or temporarily) in the hands of any Contractor or external service provider for any purpose unless:
- There is a clear definition and understanding of the data involved
- The complete ‘data lifecycle’ is documented (from data acquisition through to disposal)
- The storage, processing and data access arrangements are fully understood and documented
- The security accreditations of the contractor and the safety of their systems/services is known
- The contractors use of sub-contractors is documented and understood
- The proposed storage location/s of the data at rest is known and is secure
- The proposed arrangements around data in transit is known and is secure
- That the security of the data is adequately warranted by contract
- That ‘due diligence’ via Legal Services & IT Services has been carried out on the arrangement
- That an approved (by Legal Services) Contract is in place before the arrangement is ‘goes live’
- That any changes to such an ‘approved arrangement’ be subject to strict change control thereafter
- That the University’s right to the data in the event of contract termination is catered for
For new users
- New or changed user passwords will only be transmitted to that person in a secure way. If printed it will be in a sealed envelope and handed to the person concerned on production of a valid University ID card. Any document on which this information is written should be shredded once the account has been successfully accessed. Alternatively it may be sent via SMS to the user’s validated personal mobile phone or personal email address (user ID’s and passwords must not be transmitted electronically together within the same message or using the same medium). Users’ in receipt of a new password are required to change it immediately to one that only they know, and not to share it with any other person.
- New System users performing Staff roles should be given access to copy of the Code of Conduct for the Use of ICT Facilities along with this policy when they are given their account and password.
- New students users are required to confirm their acceptance of the terms and conditions of the Code of Conduct for the Use of ICT Facilities as a condition of the registration procedure for allocation of a computer account and password;
- Users shall not write down or record, where others can either see or access it, their account password for any University system, nor shall they pass on a password to any other person by any other means or under any circumstances. If any user believes that their password has been compromised in any way, then they are obliged to change it immediately to one that is secure.
- Users shall not allow others to use their account once logged in, or at any other time.
- All users will be periodically requested to confirm their acceptance of the Code of Conduct for Use of ICT Facilities via a system reminder which unless accepted may result in withdrawal of the use of facilities or in a reduction of privileges.
This will be carried out via the University Disciplinary procedures.
3.3: The University IT network security policy
To provide clear terms of reference for those persons contemplating either adding to, or changing, existing network services run by the University.
This policy must be followed for all services needing to utilise the University Network. This is essential in order to minimise the potential for attacks and/or unauthorised access to University information, technology and assets.
The policy will be applied automatically to any requested changes or to situations where any non-compliance is discovered.
Specific scope (network)
This policy covers ALL devices or network components owned and/or operated by the University, and University partners or subsidiaries which require a connection to the University Network.
Included (but not limited to):
- Physical infrastructure, hardware and software
- Network Equipment (including switches & hubs and extensions)
- Wired connections to the Network
- Wireless connections to the Network
- Virtual Connections to the Network
Excluded from scope
- Networks owned and maintained by subsidiaries or partners
- Separate self-contained networks not connected to the University network.
Any networked server devices will be governed specifically by the Server Security policy (see section 3.4).
All University buildings will usually be provided with connections to the core University network and telephone system.
Only equipment authorised by IT Services may be connected these. Connections may only be made through approved network points (including wireless access).
Equipment such as routers, hubs switches or any other network extensions may not be connected to network connection points without the permission of IT Services.
Modems or any other devices capable of receiving external connections must not be
attached to a device (e.g. a server or pc) which is connected to the network without the permission of IT Services.
Audits and tests may be carried out on any network connected resource. This will include testing configuration settings, procedures and processes, content filtering and physical security.
Any vulnerability found will be escalated to those responsible.
Any failure to remediate an identified risk within a reasonable time scale may result in removal from service until the matter is addressed and the matter may also be escalated within the University.
Any unauthorised device connected to the network which is either causing a problem, or creating a vulnerability or risk, may be disconnected and removed from the relevant network point and office location.
Those responsible will be required to provide an undertaking that the equipment will not be reconnected. If the equipment in question is University owned, then it may be retained in a secure location until the necessary compliance undertakings are received. If the device is personally owned equipment, it may be permanently blocked from further network access.
In circumstances of non-compliance, disciplinary action may also be pursued.
3.4: The University IT server security policy
An IT server is a computing device designed to process requests and deliver data to other (client) computers over a local network, the Internet or by some other connection.
Networked servers are usually configured with additional processing, memory and storage capacity to handle the load of servicing clients. A server would typically be capable of being connected to by multiple users or other systems.
The purpose of this policy is to provide clear terms of reference for those needing to join servers to the Coventry University Network or to store University Information on servers external to the Network. This policy applies to all existing and future servers that might be employed in the provisioning of either a permanent service or a temporary arrangement.
University information should not be stored on any internal or external server unless the arrangement has been specifically approved as a ‘safe arrangement’ by both Legal Services and IT Services. To this end an ISO27001 accredited storage service is available via IT Services.
This policy is essential in order to minimise the potential for attack and/or unauthorised access to Coventry University intellectual property, stored personal information or University technology and assets.
Regular compliance testing will take place on both existing server arrangements as well as any changes to configuration.
The policy will apply automatically to all servers connected to the University network. Non-Compliance may result in disconnection without notice.
Specific scope (servers)
This policy applies to any server equipment (virtual or physical) owned, operated and/or loaned to/by Coventry University including any servers registered under any School, College, Faculty, Professional Service, Partner or Subsidiary which requires either connectivity to the University network or to store University information.
This includes, but is not limited to, servers connected to internal Local Area Networks and external access via internet communications provided by both IT Services and JANET, or to stand alone servers which can be connected to by some other means.
Excluded from scope
- Servers on Networks owned and maintained by stand-alone trading subsidiaries or trading elements of the University Group, which are subject to control of their respective Board/s through local governance structures. It should be noted, however, that it does cover all servers that are owned and maintained by the above trading organisations which are directly connected to the Coventry University network.
- Servers connected to self-contained networks. However, as soon as a server is made live and directly connected to the Campus Network, or has University Information loaded to it, this policy will automatically apply and must be adhered to immediately.
Reference should also be made to the Network Security Policy (see 3.3 above).
Ownership and responsibilities
All Servers either Networked, or having University controlled data stored on them, must be registered with IT Services and must meet established configuration and management requirements. Implemented software versions and configuration documentation must be provided at the time of registration. All approved servers must also have a named server manager who will be responsible for keeping the server properly patched and protected. The server manager will also be responsible for ensuring appropriate access controls are in place.
Approved Servers must continue to operate in a safe and secure manner throughout the life of the server and it is the responsibility of the ‘server manager’ to ensure this.
In order to provide an overarching service assurance in this regard, IT Services, or their agents, will monitor the security arrangements and test them from time to time. All University staff and contractors are obliged to co-operate with these exercises (and any new contractual arrangements with external partners should allow for this).
All server security incidents, problems, vulnerabilities or threats (whether suspected or confirmed) must be properly recorded and reported to IT Services as soon as they are discovered. IT Services must ensure that any identified risks to the protection of confidential/sensitive information; service configuration information; systems access control or to the integrity University data (accuracy), are contained and then mitigated as far as is possible.
IT Services will remotely scan storage devices periodically in order to confirm that no sensitive data such as personal details or payment card details are being stored in a repository which is accessible to those without authority to have that access.
All University IT users are required to co-operate with any instructions or requests from IT Services in this connection relating to their use of IT whilst any threat continues.
University Managers are responsible for ensuring that their staff, students or employed agents are aware of, and understand these requirements. Any server found to be failing to comply with this policy, or to be causing detriment or risk to the normal operation of the University Network or to any dependent IT service or business function, may be disconnected from the Network without notice.
3.5: User owned IT devices
It is recognised that many IT users bring their own devices and connect to University services (this has been a well-established principle for Student users for some time now).
However, where staff owned devices are used, there is a risk that ‘sensitive’ University information could be placed, or could migrate, onto these devices which may be lost, stolen or accessed by unauthorised persons.
Devices include pc’s, laptops/notebooks, tablets, smartphones, external drives, memory sticks and other transportable storage.
Therefore, the guiding principle is that permission is not given to store sensitive University information on these devices unless;
- The device is protected with a secure password and/or (where possible) encryption
- The device is configured to be wiped remotely if lost or stolen
- No-one other than the person authorised to access that sensitive information, can do so.
- The User’s line manager has approved this type of data being stored on the device
- No University information is backed up into any non-University contracted ‘Cloud Services’ on the Internet.
- The owner agrees to notify the University if the device is lost
The University provides encrypted USB drives to enable University data to be held and accessed by mobile devices. As a result no sensitive or confidential data should be stored on users’ own IT devices.
3.6: User owned cloud (internet) storage
Many users have private Internet based email accounts which may also come with data storage facilities.
Many users’ might be tempted to use these facilities as a ‘data-bridge’, to get sensitive data from a University system onto their own device (assuming that the device complies with 3.5 above).
There are problems with this, not least of which are;
- The University cannot attest as to the security arrangements of any such service provider
- The storage location of the University data will be unknown
- The laws governing what can happen to that data will be unknown
Consequently permission is not given to process or store sensitive University information on such private facilities.
This includes the use of such non-contracted facilities as ‘Drop-box’, Google Docs and similar.