About IT Security
Secure email is a vital component of the IT Strategy and provides a way to communicate information safely and effectively with others within the University.
Secure email ensures that sensitive information is ‘protected when in transit’ in accordance with the law, government standards and contractual obligations.
More information on security can be found by searching the University policies located on the intranet:
Information security policy
An updated version of the information security policy was approved by UEB on 9 May and is available on the IT policies page.
The security policy is reviewed and updated every year to keep it current. This version clarifies the status of system backup tapes and includes a new section on secure information asset disposal covering not only PCs but also smartphones, tablets, USB flash memory sticks, DVDs etc.
Security awareness training
Online information security training is now available to all staff through Canvas, the University’s virtual learning environment (VLE).
Find out more about online information security training
The University has issued an updated Information Security Policy and Software Licensing Policy. These can be found on the IT Services policies page.
All staff members should be familiar with them, as well as the accompanying standards and guidance.
As part of a more rigorous approach to information management, the University is implementing a classification scheme with three categories of information:
- Open – intended for the public domain or that carries no appreciable confidentiality or integrity risk.
- Restricted – intended for a defined audience but not particularly sensitive.
- Confidential – likely to cause significant harm to the University’s reputation, assets or ability to meet its legal and contractual obligations if revealed outside of the intended audience.
Information is abstract but the artefacts that embody it must be classified according to the risk posed to the University. Only those who understand the information are able to appreciate the value of information or accurately estimate the risk due to breach of confidentiality, and therefore it is the information owners who are responsible for allocating the categories, with advice and support from IT Services, and Legal Services for Data Protection.
Good information governance is fast becoming a precondition, insisted upon by the Research Councils and others, for the award of research funding. The Information Commissioner (ICO) has widely publicised his intention to fine universities who fail to take good care of personal information.
Some members of the University have set up bulk email redirection to external email services such as Hotmail or Gmail. These services feature high usability but are often highly insecure and represent a significant security risk. Therefore, bulk email redirection will be withdrawn as a service for any external email system that is deemed insecure. This will not affect bulk redirection to partners and ‘trusted’ email services such as the NHS or other Universities nor will the individual’s ability to forward email messages from their email client program.
Affected users will be given three months’ notice of the withdrawal of this facility.
Mobile device security
The downloading of University email to handheld mobile devices such as smartphones and tablet computers represents a major vulnerability due to the poor security on those devices. They are easily lost or stolen and can be hacked-into by relatively low-skilled attackers; device unlock codes are scant protection.
Accordingly, the University has selected mobile device management (MDM) software ‘Good for Enterprise’ that creates a secure ‘sandbox’ on the device. Users must sign-on with strong passwords to gain access and the email messages are encrypted. The sandbox can be remotely ‘wiped’ in case of loss.
‘Good’ licences will be allocated by Colleges and Departments to those who need mobile email access and are deemed likely to receive confidential email (see Information Classification above). Exceptions – individuals who are unlikely to receive or send confidential email – must be approved by the appropriate Head of College or the Registrar.
There is a cost involved, but this is less than £1 per day.
Those without a Good license will still be able to access their University email using Outlook Web Access (OWA).
The University has developed an application that will periodically remind staff to affirm their knowledge of, and intention to comply with, various University policies and track their responses. Like security awareness training (above) this is a control that is insisted upon by the Research Councils, the NHS and others in awarding research funding.
About IT Security