Policy for device access to University information 

Policy

1. Policy

1.1 Information handling 

1.1.1 The University aims to facilitate the utilisation, exchange and storage of information; across the University and with external bodies or organisations, while appropriately protecting its confidentiality, availability and integrity.

1.1.2 This policy acknowledges that the University is responsible for ensuring that information handling complies with legal, and contractual and ethical requirements, regardless of the means by which University information is accessed.

1.1.3 All information processing must consider and address the risks of using any device to access University information in order to:

• keep information confidential where appropriate, in accordance with the University Information Classification and Handling Scheme and Data Protection legislation and supporting University policy;
• prevent loss of information by any means, including theft;
• maintain the integrity and accessibility of information across the identified retention period.

1.1.4 Any security incident which may impact on the confidentiality or integrity of University information (not restricted to personal information) eg;

• incorrect sharing of research, teaching, operational or personal information;
• unauthorised access to information or devices; 
• Device, information or record loss.

must be reported (cyber_incident@york.ac.uk) and subject to a security review to establish any factors that may compromise the devices or information

1.2 User requirements 

1.2.1 Users must follow the actions specified in this Policy to meet the University's compliance requirements. Users must check whether there are additional legal and contractual requirements for their handling of University information and take action to meet them.

1.2.2 Users must ensure that University regulations, policies and guidelines are followed when any device is used to create, store, transfer, process or destroy University information. Guidance for policy for safe use of University information on all devices provides advice on how users can meet their obligations.

1.2.3 All Users must check the data protection and security requirements for University information stored on or accessed from their devices before travelling, particularly if travelling outside the European Economic Area.

1.2.4 Users must ensure that they adequately protect any Restricted or Confidential University information before sharing it, and use University supported services to transmit and store it.

• Portable devices must be encrypted;
• USB media is prohibited;
• Shared files or drives must have user specific access lists

1.2.5 Users must control access to University information accessed from or stored on their devices, it is not permitted to allow family or other individuals not connected to the University to access University provided devices.

1.2.6 Users must not leave their device unattended and unsecured where there is a risk of theft or unauthorised access.

1.2.7 Users must inform the University if any device holding or providing access to University information is lost or stolen, or is subject to a security incident (such as unauthorised access), which might have compromised the information.

1.3 Endpoint Protections 

1.3.1 Any loss of device (eg theft, misplaced) which may have been hosting or providing access to University information must be reported to the University; cyber_incident@york.ac.uk, as soon as practically possible.

1.3.2  University devices 

• The University IT Services function provides devices which contend with the main types of device which a user may request to use to access University information; Windows, Mac and Linux.
• The primary device types are provided as Managed Devices; these devices are provided to the user with pre-configured security controls and comply with University security policy and can be updated with the latest security patches or updates as required.
• The University will provide staff, staff associates and postgraduate research students with a Managed Device.  
• Managed Devices will, by default, not be provided with administration rights for the user. “High Flex” user access rights will be available upon request and approval and, where required for research, teaching and learning activities, risk assessed administration rights may be provided.  
• Users with legacy “unmanaged” devices are responsible for ensuring that their device is updated with security patches and following IT Services best practice and installing recommended software.
• Users must return University supplied devices to the University when required to do so, when they are no longer being used for the purpose for which they were provided, and in any case before leaving the University.
• Users must not allow non-members of the University (including family or friends) to use University supplied devices.

1.3.3 Bring Your Own Device (BYOD)

• Staff, staff associates or PGR users who utilise BYOD devices (laptops, desktops, mobile and tablet devices) for access to University services or data or information must register their device with the University.
• Where Staff, staff associates or PGR users require to store or process information that is classified as “Confidential”, contains personal information relating to other people or is research related information, then they must use a University Managed Device and must not store any of this classification of information on a BYOD device. 
• Where Staff, staff associates or PGR users require to store or process information that is classified as “Restricted” they must follow guidance on protecting their device and securely delete the relevant information from BYOD devices when they have finished using the information while also complying with the University’s Research Data Management and Records Management policies
• All users of BYOD; staff, student and associate, must follow published guidance for this policy to ensure that their device is operating with the up-to-date security configurations or patches in line with manufacturer requirements for all software. 
• All users must manage and configure their devices to ensure that University information is protected in line with the Information Classification and Handling Scheme.
• All other student BYOD devices do not require to be registered with the University as BYOD.

1.3.4 Third Party Device 

• Suppliers, partners or contractors may provide devices managed by their organisations. These devices should not be connected directly to the university network without guarantees that they are being managed effectively in terms of security updates and protective controls being confirmed.
• Third Party Devices includes Specialist Research Equipment where the manufacturer does not allow us to manage the device. These devices must be registered as per BYOD.
• If the Third Party Devices cannot provide assurances that the devices are secured, they will be restricted as per out of date operating systems.
• Third party devices are also devices that a university user may access outside the University; public libraries, hotels etc., to log into University IT services.

1.4 Device monitoring and access 

1.4.1 The University may deny or restrict access to University information from devices which are not registered with or can provide security assurances  upon connections, this is to protect the integrity and availability of University information and services.

1.4.2 The University may scan any device used to access the University’s network or information to look for threats and to ensure information security.

1.4.3 When a threat is identified through automatic scanning of any device the University will investigate further and at its discretion may clean the device before it may be used to access the University network.

1.4.4 The University will actively prevent network and information access to any device that it has assessed and considers to be a risk to the network, IT service or information security.

1.4.5 Restrictions may be applied through assessment of devices as they connect to the university networks, and may include the imposition of configuration requirements for users to apply to devices, requirements to update software or the requirement to run managed security software.

1.5 The University may require users to give representatives access to University information stored on personally owned or third party owned devices.

1.6 The University provides guidance to help users implement this policy 

1.6.1 Guidance for policy for safe use of University information on all devices

Oversight

2. Oversight 

2.1 The Information Security Board, chaired by the Director of IT Services, will monitor the effectiveness of this policy and carry out regular reviews.

Responsibilities

3. Responsibilities

3.1 All users of University information are responsible for complying with this policy and other University policies for the protection of information and ensuring the security of the information to which they have access.

3.2 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy.

3.3 Users who act in breach of this policy, or who do not act to implement it, may be referred for further action following the University’s Disciplinary procedure and guidelines.

3.4 Any violation of this policy must be reported to the Head of Cyber Security, or their nominee, who will take appropriate action and inform the relevant authorities.

Policy implementation and related documents

4. Policy implementation and related documents

This document, together with related guidance is available at:

4.1.1 University Information Policy index

4.1.2 Guidance on this policy

4.1.3 Information Classification and Handling Scheme

4.1.4 University Regulation 11: Using University Information

Document history

Document history

Review

Review cycle: Annual 

Date of next review: January 2024