Policy for safe use of University information on all devices

Related pages

Applies to everyone - all staff, students, associates, and anyone else authorised to use University IT facilities and information.

Explains what you need to do to make sure University information is safe when you are accessing, storing or managing it using any device whether University owned, personally owned or provided by third parties and whether you are on or off campus.

 

Policy

1. Policy

1.1 The University aims to facilitate the flow of information to, in and from the University, while protecting its confidentiality, availability and integrity. It acknowledges that regardless of the means by which University information is accessed, the University is responsible for ensuring data handling complies with legal and contractual requirements.

1.2 The University allows users to access University information from any device as long as their use complies with relevant University regulations, policies and guidelines.

1.3 The University provides support for the main types of device which might be used to access University information. Access from non-University managed devices may be restricted or configuration requirements imposed in order to protect the integrity of University information.

1.4 The University will prevent access to the network by any device that it considers to be a risk to the network or information security.

1.5 The University scans University supplied and managed devices for threats to the network and to ensure information security. The University may require that non-University managed devices (whether supplied by the University, personally owned or third party provided) that are used to access or store University information run managed security software. In these circumstances the scanning will be automated and will only look for security threats (eg scanning with anti-virus software).

1.6  If a threat is identified through automatic scanning of any device the University will investigate further and at its discretion may clean the device if required.

1.7 The University may require access to University information stored on personally owned or third party owned devices.

1.8 The University provides guidance to help users implement this policy

2 University information user commitments

In this section “Users” means all users of Restricted and Confidential University information whether they are a member of the University of York or not.

2.1 Users must follow the actions specified in this Policy in order to meet the University's compliance requirements. Users must check whether there are additional legal and contractual requirements for their handling of University information and take action to meet them.

2.2 Users must ensure that University regulations, policies and guidelines are followed when any device is used to create, store, transfer, process or destroy University information. Guidance for policy for safe use of University information on all devices provides advice on how users can meet their commitments.

2.3 Users must consider and address the risks of using any device to access University information in order to:

2.4 Users must check the data protection and security requirements for University information stored on or accessed from their devices before travelling abroad, particularly if travelling outside the European Economic Area.

2.5 Users must encrypt, manage and configure their devices to ensure that University information is kept secure.

2.6 Users must encrypt confidential University information before sharing it and use University supported services to transmit and store it.

2.7 Users must minimise the risk of inadvertently giving away their private information and access to their devices by checking that the online services and web sites they access have appropriate security features for the intended task

2.8 Users must minimise the risk of infection from malicious software by assessing whether to install a new piece of software, accept a download, or similar.

2.9 Users must not leave their device unattended and unsecured where there is a risk of theft or unauthorised access.

2.10 Users must not allow non-members of the University to make any use of University supplied devices (including family and friends).

2.11 Users must control access to University information accessed from or stored on their devices.

2.12 Users must search their devices (including personal and third party devices) and provide University information if required to do so by the University.

2.13 Users must securely delete University information from non-University managed devices when they have finished using the information.

2.14 Users must inform the University if any device holding or providing access to University information is lost or stolen, or is subject to a security incident which might have compromised the information (such as unauthorised access).

2.15 Users must return University supplied devices to the University on request or when they are no longer being used for the purpose for which they were provided, and in any case before leaving the University.

Scope

3. Scope

3.1 This policy applies to all users who handle University information including, but not restricted to, University staff and students, staff of University companies, associates, contractors, consultants, visitors and guests.

3.2 This policy covers all devices used to access University information whether supplied by the University, personally owned or provided by a third party. This includes mobile and non-mobile devices whether they are used on or outside University premises.

3.3 This policy covers all information held by the University, in all formats (physical and electronic), including emails and attachments. The Information Classification and Handling Scheme provides guidance on the classification of information and the appropriate methods for handling the different levels of security required.

Oversight

4. Oversight

4.1 The Information Security Board, chaired by the Director of Information, will monitor the effectiveness of this policy and carry out regular reviews.

Responsibilities

5. Responsibilities

5.1 All users of University information are responsible for protecting and ensuring the security of the information to which they have access.

5.2 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy.

5.3 Users who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.

5.4 Any breach of information security or violation of this policy must be reported to the Director of Information who will take appropriate action and inform the relevant authorities.

Appendices

Appendix A: Definitions of devices

University supplied devices

A device purchased by the University enabling a member of staff or a student to fulfil their University role from wherever they are located either on or off-campus. The device may or may not be mobile.

  • University managed devices: The device will be supplied pre-configured with security and management features. This includes desktop devices and mobile devices such as laptops, tablets and phones.
  • Non-University managed devices: Devices purchased through the University, but which are not pre-configured with security and management features. Users need to manage these in the same way as devices that are personally owned or provided by third parties.

Personally owned devices

A device which is the personal property of the user and which is managed and configured by the user. This may be a device used from a fixed location, perhaps the home of the member of staff, or it may be a portable device used in any location to access University information.

Third party devices

A third party device managed by neither the University nor the individual user. It includes devices provided by a third party (eg a funder or project partner) and facilities available in public libraries, hotels, airports and cyber cafes. The device might be used by multiple users and the user has limited or no ability to modify software configuration settings.

Mobile device

A mobile device is a portable computing or telecommunications device which can be used to store or process information. Examples include laptops, netbooks, smartphones, tablets, USB sticks, external or removable disc drives, voice recorders and flash/memory cards.

Document history

Document history

20 April 2015 Approved by Information Security Board

Review

Review cycle: After one year and then three yearly

Date of next review: May 2016