This policy was last reviewed by the Information Security Working Group in April 2020.
This policy was last approved by Information Security Working Group in April 2020.
Purpose and scope
The Information Security policies provide everyone (e.g. students, staff, third parties) with clear and consistent instructions, on how to protect themselves, others and College IT assets (e.g. data and services) from ever-evolving cyber threats. The policies, associated processes and procedures help reduce information-related risk to tolerable levels.
Using College resources remotely (e.g. at home or other institution) helps us be more flexible and productive. However, it increases the risk to systems and data from unauthorised access. This policy sets out the responsibilities for everyone who uses College resources externally, helping them mitigate these threats.
Non-compliance puts everyone at risk (including the College) from cyber threats and legal and regulatory penalties. Therefore, this may lead to the removal of IT equipment, services and account privileges. In some cases, disciplinary measures might be pursued, which may also lead to legal action. A breach may result in damage to you, your colleagues and friends, such as loss of control over personal data, discrimination, identity theft or fraud and financial loss.
Where possible, individuals should use College-owned equipment for work purposes as they meet minimum security requirements (e.g. encryption, automatic security updates and Antivirus software). Everyone must also take the following steps:
● Only authorised staff should use College devices;
● Do not make unauthorised changes to equipment (e.g. disabling Antivirus or firewall software);
● Return all equipment to IT Services (e.g. laptops, tablets and USB storage) when leaving the College, including those purchased using research grants and log out of any personal services (e.g. Apple iCloud, Adobe Creative Cloud);
● Report lost or stolen devices to IT Services immediately.
Personally owned devices
Staff are not generally required to use their privately-owned equipment for work purposes; however, in some circumstances, it might be necessary. Individuals must carry out appropriate due diligence to mitigate the increased risk of using such devices, especially when working with confidential data.
● Encrypted and protected with a strong password;
● Run supported operating system with security updates regularly installed, including third-party applications (e.g. Adobe Acrobat);
● Auto-lock after a short period (e.g. 10 minutes);
● Antivirus software installed;
● Have separate, secured accounts for work purposes, so others do not have access to confidential or sensitive information.
● Avoid using public Wi-Fi to access College resources. Use a secured wireless connection wherever possible. If you have no other choice but to use public Wi-Fi, you should use a VPN;
● Avoid storing a lot of information on devices, alternatively edit directly (e.g. Google Docs). Where data must be stored, delete it when it is no longer required;
● Do not leave devices unattended in public spaces (e.g. coffee shops or trains);
● Be aware of your surroundings in public areas and consider buying a privacy screen if you regularly work with confidential information.
Information security policy suite
● Data Protection Policy;
● Data Breach Policy.
Information security guidance
● Information security training (mandatory)