- The Policy on Information Access and Security
- What you need to do to access the information you require
- What you must do to comply with security requirements
- How to report an incident and how it will be managed
- Where do you get further information?
Throughout this document the term 'sensitive information' refers to University Management Information for which access has been authorised or other information for which security precautions are appropriate, e.g. personal data. In a later section (3.x) the approved standard security classifications are defined, and the precautions appropriate to each class of sensitive information are summarised.
The Code of Practice for Information Access and Security is a companion volume to the University Policy on Information Access and Security. It provides more detail and is intended as a reference document and guide for all University staff creating, maintaining, accessing, processing or disseminating sensitive information. It addresses, in particular, key issues highlighted in British Standard BS 7799.
Its objectives are
- to inform staff how they can obtain access to the information they need,
- to ensure that staff are aware of University Policy and the importance of information security and
- to inform staff of the measures they must take to comply with University policy on information security.
The Code of Practice is issued by the University Information Access and Security Working Group on behalf of the Information Strategy Sub Committee. However, the Code of Practice is not a static document but will be updated and reissued as requirements change. This second version focuses on the security of and access to information available from the University's Management Information Systems and includes further guidance on information security classification, data protection and University email usage policy.
It is important that University staff have easy access to the information necessary to do their jobs. At the same time, however, the University must comply with legal requirements (e.g. Data Protection Act) and is critically dependent on its management information resources. The University must take appropriate steps to ensure the integrity of its information and protect sensitive information from unauthorised disclosure.
Unfortunately, the more dependent the University is on IT based information the more vulnerable it is. The network itself, in particular the Internet, is an important source of services and information resources and yet is itself at the heart of our concerns. Security threats are increasingly frequent and becoming more and more sophisticated. News media abound with tales of computer hackers, of the latest computer viruses and of systems that have been a target for computer-based fraud, sabotage or vandalism.
The security measures outlined in this Code of Practice are an acceptable compromise. They ensure that information is accessible to those that need it but at the same time ensure business continuity and minimum damage by preventing, where possible, or at least reducing, the impact of security breaches.
This document is in two parts. You are now reading Part I, an introduction to the Code of Practice. Part II sets out the key issues.
Part II is in four sections
- An introduction to the University Policy on Information Access and Security
- What you need to do to access the information you require
- What measures you must take to comply with University Security Requirements
- What you must do if you suspect unauthorised access or a potential security weakness
Almost all staff of the University are providers, users or recipients of sensitive information. The Policy and Code of Practice will affect you in different ways depending on your role.
Both the Policy and Code of Practice are available for reference on the University World-Wide Web Information Service (at http://www.bradford.ac.uk/it-services/about-us/regulations-and-policies/). The University Policy on Information Access and Security currently focuses on computer based Management Information. A separate Policy and Code of Practice on Electronic Communication focuses on Web access and authoring and use of electronic Mail.
The term management information systems is used in a very general sense to include all computer systems on campus used for administrative purposes. This not only includes centralised administrative computer systems but also servers or desktop computers used in other areas for administrative purposes.
The Policy Statement distinguishes between information and raw data. Information is made available as appropriate through the interpretation of raw data by a designated member of staff responsible for its integrity (termed a Data Steward).
The Policy in brief
The Policy statement accepts the importance of campus wide access to information:
The University recognises that all staff must have access to the information necessary to fulfil their responsibilities. Appropriate procedures will be put in place to enable staff to obtain authorised access to the information they need, in a manner which enables them to carry out their work effectively and efficiently.
However, it does so in the context of appropriate security measures and compliance with legal requirements:
Access to information must be provided in a secure manner which aims to protect the confidentiality and integrity of that information without compromise to associated information or raw data
University staff will comply with all applicable laws including the Data Protection Act, Copyright Designs and Patents Act and Computer Misuse Act.
Who is responsible for information access and security?
The Information Strategy Committee (the Executive Board) is responsible for policy formulation and overseeing its implementation.
The Academic Secretary is responsible for recording reports of security breaches or incidents and taking appropriate action (this is currently under review).
Deans and Directors are responsible for security measures appropriate to their areas and for ensuring that staff are made aware of access and security requirements.
University staff who are authorised to access information are responsible for acquainting themselves with and must comply with all aspects of the access and security policy and code of practice. In addition, staff are required to report any breach or suspected breach of security via appropriate channels as outlined below.
The University Data Protection Officer (currently the Deputy Vice-Chancellor) is responsible for ensuring that the University is Registered appropriately for uses of data covered by the Data Protection Act.
Each computer application has a designated Data Steward responsible for the integrity of its data. A list of Data Stewards is maintained by IT Services.
In order to obtain the necessary authorisation, approach the appropriate Data Steward through your Dean or Director identifying your requirements. The Data Steward will normally provide the required authorisation. The Data Steward also keeps a formal record of staff authorised to access information, which is reviewed periodically.
The information is provided solely for the member of staff requesting it. Staff may only obtain access to information through this route. It is not acceptable for information to be passed on for use by other staff (referred to later as secondary access) without prior written authority from the appropriate Data Steward.
If your request is refused by the Data Steward, you can appeal to the Data Steward's line manager, or to the Information Strategy Committee (this is currently under review).
i. Physical security
i. Office security
Locking your office door and filing cabinet is a simple but effective first barrier, reducing the risk of unauthorised access. Even if the data is not sensitive, its destruction or unauthorised change can cause disruption, cost time and money, and may be a disaster for the staff concerned. Offices containing sensitive information or equipment used to access it should always be locked whenever they are unoccupied.
ii. Positioning equipment
Computer systems used to access sensitive information should be installed where they are only accessible to authorised personnel. Display screens and printers should be positioned to avoid accidental disclosure.
iii. Avoid leaving systems 'logged in'
All users must take appropriate precautions to ensure that another user cannot gain unauthorised access using your equipment. In particular, equipment should not be left unattended unless it has a password protected screen saver or menu or it has been switched off or logged out. Users are encouraged to install protected screen savers, however, they are advised that some screen savers can cause offence and these must be avoided.
i. Choice of passwords
Some passwords (names or words in the dictionary) can easily be broken using public domain software, others (car registration or telephone numbers) are potentially guessed. The IT Servicedesk (firstname.lastname@example.org) will advise you on choosing a secure password and most University systems will disallow passwords that are easily broken.
It is important that your password is not disclosed intentionally or accidentally. Avoid writing it down and, in particular, never leave passwords on notes affixed to your screen or permanently stored on your machine. A User Name and Password are issued for personal use and must be kept secret and not communicated in any way to another person, including any other member of University staff.
A computer virus is a malicious parasitic program written to alter the way your system operates without your permission or knowledge. It may destroy data, display messages or destroy functionality. A virus spreads by copying itself through a network or to other disks as they are loaded on an infected system. The virus is propagated to a new system if it is booted from or runs a program from an infected disc. However, they are becoming more and more sophisticated. Recent examples include propagation in word processor (Word) documents, through electronic mail and through public domain software. Beware data storage devices can also be compromised.
The basis of protection is awareness of the dangers of using external discs which may be infected and the use of appropriate virus detection software . If you don't encounter an infected disc for a long while, it is easy to be lulled into a false sense of security. You are advised not to run or load any files into your system unless they come from a recognised and reliable source, which does not necessarily include all software providers. You can obtain further information from the IT Servicedesk (email@example.com).
i. Anti-virus software
Anti-virus software developed by a reputable supplier is essential for any system used for administrative purposes or processing sensitive information and is strongly recommended for all users of personal computers. It is also essential that you keep your anti-virus software up to date. Remember that new viruses are being developed all the time. Anti-virus software is site licensed for use by University staff and students and is available from the Computer Centre. For further information contact the IT Servicedesk (firstname.lastname@example.org).
Anti-virus software is also active on the central mail server. All messages are scanned for known viruses, alerting the user if a virus is detected.
ii. Virus check portable data storage devices
Any storage devices of uncertain or external origin must be checked for viruses before use. Such devices must not be used on equipment used to process sensitive information and use on any equipment should be strongly discouraged.
iii. Dangers of untested public domain software
It is important to ensure that software you use is high quality and is stable. Public domain software or freeware, much of which is available through Internet, is also a common source of viruses. The Internet is a source of software ranging from the very best to the very worst. You must not use software imported via the Internet or World Wide Web without thorough checking before use.
iv. Avoiding unauthorised disclosure of information
i. Authorisation from a Data Steward for administrative information
Authorisation from a Data Steward must be obtained prior to any use of administrative information by University staff. In particular, full authorisation is required from the appropriate Data Steward before information may be passed to another user, e.g. for secondary uses. A list of Data Stewards for different administrative information sources is available from the IT Servicedesk (email@example.com).
All use of administrative information in reports or published materials must include reference to the source of data and the date it was extracted.
Electronic mail is not a secure medium and should never be used to communicate confidential or sensitive information.
All use of electronic mail, access to the World-Wide Web or publishing on the World-Wide Web is covered by the University Policy and Code of Practice on Electronic Communication. This covers, in particular, issues of confidentiality of and rights of access.
iii. Encryption in office applications
Do not assume that information is secure just because the word 'encryption' is used in the documentation or advertising literature. Some encryption is notoriously insecure. This includes encryption provided in office applications, e.g. in Microsoft Word and Excel, and in World-Wide Web (Internet) browsers. Such encryption methods should only be used, where security is relatively unimportant. Beware that such weakly encrypted information can be cracked by using commercially available software.
iv. Disposal of equipment
All equipment or media for disposal must be appropriately decommissioned. In particular, sensitive data and software covered by non-transferrable licences must be removed from disk. File deletion only removes the index to data which means it can still be retrieved. Low level disk initialisation is required to ensure complete removal. Further advice is available from the IT Servicedesk (firstname.lastname@example.org).
v. Storage of backups
It is recommended that all information is copied regularly to backup media. It is also recommended that backup media are stored away from the equipment they protect, in case of fire or catastrophe. However, this may be unnecessary for information obtained from central administrative databases since it can easily be obtained again from central sources. Unnecessary copying increases the risk of unauthorised access and is therefore unwise. Further advice is available from the IT Servicedesk (email@example.com).
However, if backup media contain sensitive information they must be subject to stringent precautions, particularly if they are stored away from the equipment they protect and your direct supervision.
v. Removal of property from the University and computing at home
University owned equipment, data or software must not be removed from site without formal management authorisation.
If equipment (regardless of ownership) is used outside University premises to process sensitive information it must be subject to the same precautions as equipment used on the premises. In particular, the following guidelines should be applied:
i. Virus protection off campus
Personal computers must not be used to process sensitive information away from the University campus without appropriate virus protection (see 3iii).
ii. Supervision of equipment
When travelling, equipment or media carrying sensitive information must never be left unattended in public places. It is strongly recommended that, if feasible, you carry information on media separate from the computer when in transit since they are easier to supervise. It is recommended that portable computers are carried as hand-baggage.
iii. Access control
Portable or home computers are vulnerable to theft, loss or unauthorised access. If they are used to process sensitive information, access must be controlled to prevent unauthorised access, e.g. password on start up or secure file encryption (but see 3xi).
vi. Part time staff
When employing temporary staff or student labour, their access to sensitive information must be carefully controlled and supervised. In particular, students should not normally be allowed unrestricted access to information on other students or other unsupervised access.
Training on information access and security principles outlined in this Code is incorporated into appropriate University training courses.
viii. Legal requirements and Regulatory Framework
All access to and use of University facilities and the information they contain must comply with the University Regulation on Use of Computer Facilities and the Campus Network and appropriate laws (libel, the Copyright, Designs and Patents Act, the Computer Misuse Act and the Data Protection Act).
The Data Steward will normally consider the implications under the Data Protection Act when a user applies for access. In particular, before such access and use may be authorised, the Data Steward must ensure that it is included in purposes declared in the Data Protection Register, or that it will be registered separately. In addition, it is the responsibility of the user to ensure that they have gained explicit consent ,where appropriate, and that such data will not be used for other purposes and that they will be kept accurate and up-to-date and will be secure from unauthorised access or disclosure.
Further advice on Data Protection can be obtained from the University's Data Protection Officer. An advisory document is also available.
Unauthorised modification of information on a computer system is an offence under section 3 of the United Kingdom's Computer Misuse Act 1990. The maximum punishment under this section is five years imprisonment or an unlimited fine or both. Further advice on legal matters is available from the University Registrar and Secretary.
Users are also reminded that regulations regarding the transmission, storage or display of obscene material are enforceable by law under the Criminal Justice and Public Order Act 1994, to extend provision to transmission over a data communications network. The transmission, storage or display of offensive, defamatory or harassing material is strictly forbidden (particularly via the World Wide Web service), unless it is for purposes authorised by the University and appropriate Dean or Director.
ix. Software licences and contracts
i. Software Licences
Under University Computing Regulations staff and students must comply with the terms of software licence agreements, copyright and contracts. You are personally responsible for ensuring that your use of software is covered by a current licence or contract.
In particular, unauthorised copying, dissemination or use of software is strictly forbidden and is actively discouraged by the University. All University Schools and Planning Units are strongly encouraged to carry out software audits on equipment for which they are responsible. In addition, internal audit will carry out software licensing spot checks from time to time in selected areas.
ii. Who to contact
Licence details are normally available from the appropriate Dean or Director (for restricted licences), IT Services (for most site licences and contracts) or the IT Servicedesk (firstname.lastname@example.org). Copies of the Code of Conduct for the Use of Software or Datasets can also be obtained from these sources.
In order to avoid ambiguous treatment and marking of secure or sensitive information, the University recognises the four classes of information defined below. By default all office information produced by staff, e.g. memos or documents for internal circulation, is classification level 1 (campus only) unless otherwise designated.
i. Level 0: Unclassified or Public Information
- Unclassified or public information is the largest class containing the majority of information on campus.
- it requires no special marking
- it requires no special security measures
- it is available to all who wish to access it (including world wide access)
- electronic documents may be transmitted freely over the campus network and on national and international networks (e.g. using electronic mail or Web services)
ii. Level 1: Campus Only
This covers information that is only available to students and staff at Bradford. It includes memoranda, teaching material, minutes of meetings (not otherwise marked) and site licensed software.
- documents should be clearly marked 'Campus Only' but may be circulated openly on campus
- electronic documents on the Information Server and software on the University campus FTP server will have access restrictions (limited to the domain brad.ac.uk)
- electronic documents may be transmitted freely over the campus network (academic and administrative sub-networks) using electronic mail but not over links to external networks or hosts without prior authority from the University
- documents are copyright University of Bradford but may be freely copied for campus use. Copies must not be passed to a recipient external to the University without prior authority from the University
iii. Level 2: Confidential Information
This covers certain meeting minutes, general personal information, financial information or other information designated as confidential but that may be dealt with by any staff with delegated responsibility from the recipient (i.e. it is not, in a strict sense, information 'for your eyes only').
- documents should be marked 'Confidential'. Hard copy (paper) documents must enclosed in sealed envelopes also marked 'Confidential'.
- envelopes should only be opened by the designated recipient(s) or staff with appropriate delegated authority (e.g. confidential secretary or designated staff during absence)
- hard copy documents will normally be kept securely, e.g. in a locked filing cabinet
- electronic documents should normally be protected (e.g. password control and weak encryption, see section 3xi) on the originator's disks
- confidentiality of the campus network cannot be guaranteed, since it has external links to the Internet. Thus, documents must only be transmitted electronically over the campus network if they are protected (e.g. password control and weak encryption, see section 3xi) .
- documents are copyright University of Bradford but may be freely copied for personal use by recipients or staff with appropriate delegated authority. Copies may not be passed to anyone not working on behalf of the author or designated recipient
- electronic documents in this category will not normally appear on the Information (World-Wide Web) Server without special access controls
iv. Level 3: Personal and Strictly Confidential Information
This covers documents that contain highly sensitive information or personal details that are for the eyes of the recipient only, i.e. where delegated authority is not appropriate.
- the accepted marking is 'Personal and Strictly Confidential'. Hard copy (paper) documents must be enclosed in sealed envelopes also marked 'Personal and Strictly Confidential'.
- envelopes may only be opened by the designated recipient(s)
- locally stored electronic documents should be protected (e.g. at least password control and weak encryption, see section 3xi)
- documents may not be copied and are not to be passed to a third party without prior authority from the sender and recipient
- electronic documents in this category may only be transmitted (e.g. using electronic mail or file transfer) over the administrative or academic network if strong encryption (see section 3xi) is used
The following glossary defines terms in common use.
i. Weak Encryption
The term weak encryption is used to mean simple (single and often short key) encoding. It includes the limited file protection available under 'options' when saving files in Microsoft Word or Microsoft Excel. It must be stressed that documents protected with weak encryption may be decoded even if the password is not known using commercially available utilities. However, it does provide a degree of protection.
ii. Strong Encryption
Strong encryption is the term used to cover strong encoding technologies using two keys (one publicly available, the other your private or secret key). The academic community is currently interested in the use of PGP, a package which offers two key military strength encryption and is widely available and widely adopted. With appropriate key lengths and safeguards to protect your private key, documents cannot be decoded with current or projected technologies in the short to medium term future.
iii. Electronic Signatures
The term electronic signature is used for electronic certification of documents using encryption technology. They are used as proof that a document really came from the specified sender and that the document has not been changed in transit. Strong encryption technology (e.g. PGP) includes appropriate signature mechanisms, generating a block of text based on the document content and your secret key. The electronic signature is checked (during the decoding process) against the document and your public key. The document cannot be changed or the signature forged without knowing your secret key.
xii. Confidentiality of Information and University Access
Users of University computing facilities or the Campus Network are bound by University Regulations. Use is restricted to research or study approved by a Dean or Director or for authorised administrative purpose. Although incidental personal use of facilities is acceptable, the University cannot guarantee confidentiality unless the material is encrypted (see sections 3iv.ii and 3xi).
Although attempts to read another's information are forbidden under Regulations, material may be seen inadvertently by technical staff during routine maintenance activities. Such material will be treated as confidential by staff unless it falls into one of the unauthorised categories under University Regulations or the law, in which case appropriate action will be taken.
In general, the University reserves the right to access information stored on the facilities it provides or to monitor access using the University infrastructure. However, the right will only be exercised in order to access information essential for its business purposes, e.g. during absence or to investigate a suspected breach of University Regulations or the law, and only on the explicit authority of the Vice-Chancellor, or the Senior Officer responsible for the facility being used for storage or access.
A security incident is any action that leads or could potentially lead to loss of or damage to University Information or its unauthorised access or disclosure. This includes computer viruses and theft of hardware or software.
If you suspect unauthorised access or that there has been a lapse of security, you must report it as soon as possible to the Director of IT Services, or the Director of Information Services. In addition, if it is a physical security issue (a break-in or unlocked door in critical areas) you should report it immediately to the University Security Staff (Tel: 4894).
The University has an Incident Management Group which manages and oversees the Incident Management Plan for the University. When appropriate, Information Security incidents will be escalated according to the agreed procedures set out in the University’s plan.
The University is working towards compliance with the International Standards on Information Security (ISO27002) which include the development of a separate policy on Information Security Incident Response and an Information Security Incident Response Procedure.
You can obtain further information from:
- The Director of IT Services - Telephone 3115.
- The Director of Learner Support Services - Telephone 3401.
- University Secretary - Telephone 5320.
Other key contacts are:
- IT Servicedesk - Telephone 3333 or email email@example.com.
- University Data Protection Officer (currently the Deputy Vice-Chancellor) - Telephone 6305.
Content last updated: May 2014.