Policy for safe use of University information on all devices

Related pages

This policy applies to staff, students, associates, and anyone else using University IT and University information.

This policy explains what you need to do to make sure University information is safe when you are accessing, storing or managing it.

Policy

1. Policy

1.1 The University aims to facilitate the flow of information to, in and from the University, while protecting its confidentiality, availability and integrity. This policy acknowledges that the University is responsible for ensuring that information handling complies with legal, and contractual and ethical requirements, regardless of the means by which University information is accessed.

1.2 Users and devices used must comply with University regulations, policies and guidelines.

1.3 The University provides support for the main types of device which might be used to access University information. The University may deny or restrict access to University information from devices not managed by the University to protect the integrity of University information. Restrictions may include the imposition of configuration requirements on devices, the requirement to run managed security software.

1.4 The University will prevent access to the University network by any device that it considers to be a risk to the network or information security.

1.5 The University may scan any device used to access the University’s network or information to look for threats and to ensure information security.

1.6 When a threat is identified through automatic scanning of any device the University will investigate further and at its discretion may clean the device before it may be used to access the University network.

1.7 The University may require users to give the University access to University information stored on personally owned or third party owned devices.

1.8 The University provides guidance to help users implement this policy

2. University information user obligations

2.1 Users must follow the actions specified in this Policy to meet the University's compliance requirements. Users must check whether there are additional legal and contractual requirements for their handling of University information and take action to meet them.

2.2 Users must ensure that University regulations, policies and guidelines are followed when any device is used to create, store, transfer, process or destroy University information. Guidance for policy for safe use of University information on all devices provides advice on how users can meet their obligations.

2.3 Users must consider and address the risks of using any device to access University information in order to:

2.4 Users must check the data protection and security requirements for University information stored on or accessed from their devices before travelling, particularly if travelling outside the European Economic Area.

2.5 Users must encrypt, manage and configure their devices to ensure that University restricted and confidential information is kept secure.

2.6 Users must encrypt restricted and confidential University information before sharing it, and use University supported services to transmit and store it.

2.7 Users must not leave their device unattended and unsecured where there is a risk of theft or unauthorised access.

2.8 Users must not allow non-members of the University (including family or friends) to use University supplied devices.

2.9 Users must control access to University information accessed from or stored on their devices.

2.10 Users must securely delete University information from non-University managed devices when they have finished using the information while also complying with the University’s Research Data Management and Records Management policies.

2.11 Users must inform the University if any device holding or providing access to University information is lost or stolen, or is subject to a security incident (such as unauthorised access), which might have compromised the information.

2.12 Users must return University supplied devices to the University when required to do so, when they are no longer being used for the purpose for which they were provided, and in any case before leaving the University.

Scope

3. Scope

3.1 This policy applies to all users who handle University information including, but not restricted to, University staff and students, staff of University companies, associates, contractors, consultants, visitors and guests.

3.2 This policy covers all devices used to access University information whether supplied by the University, personally owned or provided by a third party, used on or outside University premises.

3.3 This policy covers all information held by the University, including emails and attachments. The Information Classification and Handling Scheme provides guidance on the classification of information and the appropriate methods for handling the different levels of security required.

Oversight

4. Oversight

4.1 The Information Security Board monitors and reviews this policy.

Responsibilities

5. Responsibilities

5.1 All users of University information are responsible for protecting and ensuring the security of the information to which they have access.

5.2 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy.

5.3 Users who act in breach of this policy, or who do not act to implement it, may be referred for further action following the University’s Disciplinary procedure and guidelines.

5.4 Any violation of this policy must be reported to the Director of Information Services, or their nominee, who will take appropriate action and inform the relevant authorities.

Implementation

6. Policy implementation and related documents

6.1 This document, together with related guidance is available at:

www.york.ac.uk/information-directorate/information-policy/index

6.2 Guidance on this policy

6.3 Information Classification and Handling Scheme

6.4 University Regulation 11: Using University Information

Appendices

Appendix A: Definitions of devices

University supplied devices

A device supplied by the University enabling a member of staff or a student to fulfil their University role from wherever they are located either on or off-campus.

  • University managed devices: These devices are supplied pre-configured with security and management features.
  • University non-managed devices: Devices supplied by the University which are not pre-configured with security and management features. Users must manage these in the same way as devices that are personally owned or provided by third parties.

Personally owned devices

A device which is the personal property of the user.

Third party devices

A third party device managed or supplied by neither the University nor the individual user. It includes devices provided by a third party and facilities available in public libraries, hotels, airports and cyber cafes.

Document history

Document history

20 April 2015 Approved by Information Security Board

Review

Review cycle: After one year and then three yearly

Date of last review: December 2017

Date of next review: December 2020