This policy was last reviewed by the Information Security Working Group in August 2022.
This policy was last approved by Information Security Working Group in September 2020.
Purpose and scope
The Information Security and Data policies provide everyone (e.g. students, staff, third parties) with clear and consistent instructions on how to protect themselves, others and College IT assets (e.g. data and services). The policies, associated processes and procedures are designed to reduce information-related risk to tolerable levels. All staff must adhere to these policies to keep the College and its people secure from Information Security risks, such as ever-evolving cyber-threats or non-compliance with the Data Protection Act 2018.
Using College resources remotely (e.g. at home or other institution and locations) helps us be more flexible and productive. However, it increases the risk to systems and data from unauthorised access. This policy sets out the responsibilities for everyone who uses College resources externally, helping them reduce and mitigate these threats.
Non-compliance of policies puts people and the College at risk. . A breach of information security may result in damage to you, our students, or your colleagues through the loss of control over personal data or confidential data, identity theft, fraud or financial loss. Breaches to this policy also put the College at risk of cyber-threats, legal action and regulatory penalties. Additionally, sometimes damages are irreparable and have serious reputational consequences.
Therefore non-compliances may lead to the removal of IT equipment, services and account privileges. In some cases, disciplinary measures might be pursued, which may also lead to legal action.
Where possible, individuals should use College-owned computer equipment for work purposes as they meet minimum security requirements (e.g. encryption, automatic security updates and Antivirus software). Everyone must also take the following steps:
- Only authorised staff should use College devices
- Do not make unauthorised changes to equipment (e.g. disabling Antivirus or firewall software)
- Return all equipment to IT Services (e.g. laptops, tablets and USB storage) when leaving the College, including those purchased using research grants and log out of any personal services (e.g. Apple iCloud, Adobe Creative Cloud)
- Report lost or stolen devices to IT Services immediately
- Contact IT Services when the device has problems or you notice device not working as normal.
Personally owned devices
Staff are not generally required to use their privately-owned equipment for work purposes; however, in some circumstances, it might be necessary. Individuals must carry out appropriate due diligence to mitigate the increased risk of using their own devices, especially when working with confidential data. This means they:
- Enable disk encryption and protect with a strong password
- Have a supported operating system with security updates regularly installed, including third-party applications (e.g. Adobe Acrobat)
- Enable auto-lock after a short period (e.g. 10 minutes)
- Have anti-virus software installed, updated regularly and a firewall running at all times
- Have a separate, secured account for work purposes, so others do not have access to confidential or sensitive information, and ensure the password for the login account is sufficiently long and complex
- Will not use their personal email address to conduct college work
- Avoid using public Wi-Fi to access College resources. Use a secured wireless connection wherever possible. If you have no other choice but to use public Wi-Fi, you should use a VPN
- Avoid storing a lot of information on devices, alternatively edit directly (e.g. Google Workspace). Where data must be stored, delete it when it is no longer required;
- Do not leave devices unattended in public spaces (e.g. coffee shops or trains). Additionally, consider using a cable lock to secure the device;
- Be aware of your surroundings in public areas and consider buying a privacy screen if you regularly work with confidential information.
- Report any lost or stolen equipment as soon as is practicably possible to IT Services
Personal devices at work
Where it is necessary to use personal devices (e.g. laptops, mobile phone, tablets, ipads etc.) within the College environment and the device connects to the college computer services, individuals must ensure their device adheres to guidance above, including:
- Personal-devices have basic security protection in order avoid putting the College at risk.
- Ensure computer device does not contain software or services that could cause damage or harm to the College services, staff and student community;
- Do not use personal device for any inappropriate activities as highlighted in the Acceptable Use policy;
Where a personal device is found to be non-compliant and a serious security risk, it may be blocked or restricted from accessing the RCA’s computer systems and services.
Data security breach process (internal)