Physical security

Physical security

• Departments should review their arrangements for the security of examination scripts and the labelling on the drawers of filing cabinets annually.
• Where possible, draft and final examination papers within departments should be kept in locked cabinets or a safe, preferably in an alarmed office, when not being worked on.
• The keys for the cabinets should not be kept in the desk adjacent to the cabinets.
• Examination papers and materials should be delivered personally to the Examinations Office and a receipt obtained. Please, do not, leave material at the Registry Services Reception Desk or in the Examinations Office if unattended. 
• Members of staff should be reminded that examination papers or supporting material must not be sent in the internal post.
• Answer scripts should always be delivered by hand to destinations within the University, and a receipt obtained. Registered post or similar means must be used when sending material to destinations outside the University.
• If an examination paper is to be re-used in future years, the Examinations Office should be notified of this via the Exam Paper Cover Sheet. These papers are referred to as 'Secure' Papers and Departments should ensure that they are not uploaded to the University Digital Library at the end of the academic year.
• Given physical access to a machine for long enough, it is always possible to read the data from it unless it is encrypted, even if a machine has been switched off altogether or if it has a screensaver that requires a password. Where possible, the data should be stored on a network disk (either one of the IT Service’s rented file stores or similar storage offered by a department). In this way the data is physically stored elsewhere and access to the desktop machine matters much less. The other great advantage of doing this is that it should ensure that the data is backed-up.
• Electronic versions of draft and final examination papers should not be kept locally on PCs within departments. Documents must be password protected in a secure location/drive or on a disk/CD that can be locked away.
• Drafts of examination papers should be sent either by encrypted email, secure fax, memory sticks or on floppy disks/CDs. If using email, best practice would be to encrypt the data before sending it. This can be done in many ways, but the most common ways would be to use Word's option to encrypt a document, or an encrypted pdf file, or to send the document as a ZIP file and encrypt that. The recipient can be given the password to decrypt the message via a telephone or other non-computer-based method. After the first time this is done, future messages can be sent using the same password.
• Staff should be reminded that normal email (and attachments) are not secure and consultations on exam questions should not be shared in this way.

Security of computers

Security of computers used to prepare examination materials

Draft exam papers must be treated carefully to avoid compromising the security and validity of the paper before the exam. The use of computers to draw up exam papers means that careful attention must be paid to the security of the PC used to write questions or to assemble the paper and to the way drafts are stored and transferred.

The permitted methods for sharing draft exam papers are:

1. Via shared filestore, provided either by IT Services or by the department
2. Via Google Drive with a University account
3. Via an encrypted USB stick
4. Via email with an encrypted document.

We strongly recommend using either method 1 or method 2.

Remember that email attachments are not secure and consultations on examination questions should not be shared in this way unless the attachment is encrypted due to the risk of 1) interception and 2) accidentally sending the email to the wrong recipient.

Encryption of attachments

IT Services has a help page on how to encrypt attachments and which methods are acceptable.

• Encrypting files before sharing with others

Use of supported machines

Supported machines provided by IT Services will be patched and configured appropriately as part of the supported service. On a supported machine it is best to store your draft exam papers on central filestore; either your own personal area (your M or H drives) or on a shared (departmental) filestore. This ensures that the files are stored securely centrally and proper backups are taken for disaster recovery purposes.

Access to shared filestore is available from offsite via the virtual private network (VPN).

Use of departmental-run machines (unsupported machines)

In order to be suitably secured, operating systems must be both currently supported by the vendor in terms of patches and be capable of being secured to a suitable standard. Please check that the version of the operating system you are using meets these requirements. In particular OS X prior to version 10.11 (El Capitan) and Windows prior to Windows 7 do not meet these requirements and must not be used for exam paper production. Windows XP and Windows Vista have stopped receiving security updates from Microsoft and must not be used for the production of exam papers.

General requirements for PCs

• Be only accessible via user accounts, and a separate account must be used for each user. “Guest” type accounts must not be used.
• Be fully patched with the vendors latest patches and kept up to date at all times
• Use a file system that only allows the author or owner of a file to read it
• Must not export/share their hard drive or run file sharing software

Special requirements for Windows machines

• Be fully patched
• Set to automatically download and install patches
• Run an up-to-date virus checking software
• Be scanned for spyware and adware on a regular basis
• All local hard drives must be configured with the NTFS file system and not the FAT file system to ensure that only the owner of a file can read it
• Must not be configured to share their C:/ drive (or other hard drives if fitted)

Google Gmail and Docs

Google Gmail and Docs are the University's official platform for email and collaboration. We strongly recommend the use of Google Drive as a method of securely sharing documents. Google Drive can be used to store any sort of file (ie as a "cloud USB stick") and it is not necessary to use the Google word processing apps etc to use Google Drive. Find out more information about Google Workspace.

Normal 'consumer' Google accounts (or similar services) should not be used for the preparation of exams as this provides no access to the data in cases of accidents, lost passwords etc.

Physical security

Machines should be kept in a locked office and access to this office should be restricted. In particular, visitors or students should not have unaccompanied access to the machine. Whenever the machine is left it must be either switched off or a screensaver/ screen lock must be used that requires a password to gain access. It is best to set your screensaver to lock the screen automatically after a fairly short period of inactivity (for example five minutes) to ensure this.

Use of laptops

Laptops that are used both at home and on the University network present particular security risks. When placed on the internet or an unsecured home connection they can become infected in many ways, and then bring these problems back onto the University network.

To ensure security, laptops must be encypted and run a firewall.

• Learn more about protecting your device from digital threats.

Use of home machines

Machines in the homes of members of staff should not be used for the production of exam papers unless

• They are used only by the member of staff and not by any other members of their family etc.
• The machine is secured as per the instructions for departmentally run machines above and also runs a personal firewall.

The transfer of files between home and work must be done via the WebVPN, Google Drive or (as a worst option) encrypted USB stick.

Use of departmental file servers

Any departmental fileserver must be secured to the standards above and in addition must be kept in a secure area (a dedicated machine room) which does not have general access.