The following page provides information on the recommended practices for protecting the confidentiality, integrity and availability of information and the systems used to handle it. By following these guidelines, you can protect yourself and others from technical, physical and personal threats to information security.
Following best practice is also necessary to comply with the requirements of University Regulation 31 governing the use of University computing facilities as well as all other information security related policies.
- Basic Device and Internet Safety
- Electronic Information Asset Protection
- Third Party Access and Outsourcing
- Information Security and Systems Development
- Working Remotely
Passwords are a vital tool for securing electronic information. They provide an essential defence against unauthorised access of systems, devices, accounts and files. However, if used incorrectly, passwords are subject to many different threats. Because of this, it's important to understand how to create a strong password and how to manage passwords appropriately.
Follow these guidelines when using passwords
What makes a 'secure' password
- There is no agreed upon minimum length for passwords. But you should follow the general rule that passwords that are too short are insecure. They should contain a mix of upper case letters, lower case letters, numbers and symbols. It should be memorable but not easy to guess. Avoid using any of the most common passwords
- PINs on devices should be complex and minimum 6 characters
- Documents require much longer, more complex passwords as there are no additional measures to protect them form brute force attacks..
Using passwords appropriately
- NEVER reuse your passwords for other accounts. If your account credentials get stolen, attackers will try to access other services or accounts. For example, if you have an account with an online shopping site, which gets hacked and passwords/usernames are stolen, cybercriminals will try and use those passwords and usernames elsewhere on the web in an effort to steal more information. A good way to avoid this issue is to come up with your own methodology for devising a unique password for every platform.
- Use two factor authentication to keep your accounts and devices secure if your password is ever stolen. This is available for your Warwick account.
- If you believe something has gone wrong relating to your passwords, change them immediately. You can change your Warwick password at http://warwick.ac.uk/passwords
- If you need to send a password protected attachment, send the password via a different medium to the file. For example, if sending an attachment via email, send the password via text or Skype for Business.
If you suspect that your devices have been compromised or you're experiencing problems with work devices/networks, contact the IT Services HelpDesk.
Basic computer safety
- Beware of screen watchers when working in a public place or in the vicinity of others. Be especially careful when working with sensitive information and log in details.
- Always ensure you log off form public or shared devices
- Do not click on suspicious links or attachments This is a common method of installing malicious software on your devices or stealing information. This is often conducted through phishing. See our page on scams and social engineering for more information.
- Ensure that anti-virus software is installed and running. Ensure that your devices and software are always updated. For university managed machines, this will be handled by ITS but for unmanaged and personal devices, you may have to implement this yourself. See http://warwick.ac.uk/software/antivirus for more details.
- Only use trustworthy software. If you wish to use a new piece of software for work purposes, consult the IT Services software pages.
Basic mobile device safety
Basic internet safety
- Do not access University information or other sensitive information on unsecured/public WiFi networks. Cybercriminals may be able to monitor your activity.
- Ensure that any websites you submit information to are legitimate. Do not provide any sensitive information to untrusted sources.
- Use the Warwick campus VPN when working remotely.
- Make sure you are aware of the JANET Acceptable Use Policy. JANET is the University's internet provider and has specific conditions of use. IT Services provides further details on the use of University networks warwick.ac.uk/its/servicessupport/networkservices
Protecting your identity online
Identity theft is one of the fastest growing crimes in the UK and we are all susceptible. Here are some ways you can be safer:
The following describes the necessary practices for keeping information assets secure.
Understanding risk and responsibility
- Everyone must take an active role in identifying risks to the confidentiality, integrity and availability of information.
- Practices surrounding the handling of information must be carefully chosen taking level of risk into account. The more sensitive information is, the fewer the risks that should be accepted.
- Senior members of the University must take ownership of any risks willingly accepted by individuals in departments which they oversee.
- All individuals are responsible for following appropriate security practices when handling information.
- All individuals have a responsibility to identify risks and protect information in their area.
- Registers of the systems and devices used for the storage of information must be maintained on a departmental level. Understanding where information is kept is key to maintaining all aspects of information security.
- Business continuity plans, contingency plans and risk registers must take into account the risks surrounding loss of information or the systems used to handle it
- Departments must take responsibility for administering who has access to particular information. Access to information and systems which hold it must be regularly reviewed. Access must only be granted when there is a need for an individual to access information and access must be rescinded once that individual no longer needs to access information.
Storage and handling
- All information must be handled in line with the Information Classification and Handling Procedure.
- University information must not be stored in local storage spaces on devices (e.g. C: Drive, D: Drive) as these are not backed up.
- University information must only be stored in locations administered by or otherwise approved by the University. Such as department shared drives (M: Drive), H: Drive, OneDrive, SharePoint or encrypted portable media devices if needed.
- University information must only be shared via services made available by, or authorised by, the University.
- Sensitive information must only be sent via secure means (as outlined in the Information Classification and Handling Procedure). This includes SharePoint, OneDrive, Files.Warwick, as email attachments which are both encrypted and password protected or other means which have specifically been approved by Information Security.
- Sensitive information must not be sent via email unless it is contained within an attachment which is both password protected and encrypted. Or it is sent via an email encryption service which has been approved by the University.
- Remember if you plan to share personal information i.e. information which can identify a living person, you are required under the General Data Protection Regulation 2016 and Data Protection Act 2018 and the University Data Protection Policy to ensure that the other party is able to appropriately safeguard the information.
- These requirements are usually set out and agreed as part of a Data Processing or Data Sharing Agreement or similar clauses within a formal contract.
- The Information and Data Compliance Team can help with this please contact them on GDPR@warwick.ac.uk
Outsourcing and third party suppliers
The University provides 'approved' IT facilities and services. These are defined as provided directly by University staff and facilities or those provided by a third party on behalf of the University and subject to a formal legal contract and/or service level agreement.
We acknowledge that staff and students are able to access unapproved IT facilities, mostly available via the Internet, provided by third parties with which the University does not have any formal agreement. Examples of this are the use of Google Docs, DropBox and Hotmail/Gmail. There are a number of concerns associated with using unapproved third party services including:
The University also has a legal obligation to ensure that any third parties who handle its data do so in a secure manner when personal data is involved.
Because of this, it is essential that approved services are used. If you wish to use a service which has not yet been approved, you must follow the appropriate process around approving third party suppliers.
Departments will be accountable for ensuring that risks are identified and managed where University information is to be accessed or handled by third parties. This is to protect the interests of the University and continue the safeguarding of University information in line with our legal obligations.
Third party access to information and systems
A named University staff member (or named members) will be accountable for managing the access provided to a third party and their activities on the network. The named University individual(s) will ensure that obligations around acceptable use and event record keeping are understood by the third party prior to access being granted.
IT Services can advise on the standard event logging requirement to comply with our obligations under the JANET Acceptable Use Policy.
Third party access (physical or logical) will be strictly controlled and must only allow access to information or systems necessary to carry out the agreed activities. This is to reduce the risk of disclosure or theft of University information, theft or damage to equipment (intentional or accidental) or misuse of information or facilities.
Temporary guest access to the University network will be approved and facilitated by IT Services (email@example.com)
Development and test systems and data must be kept separate from live systems and data; live data must not be used for testing or development.
As part of the requirements gathering and testing process for new or changes to existing systems, project executives (developers, project managers, IT Services Analysts, Business Analysts or local IT/project leads) will liaise with the senior members of the University responsible for the information contained within said systems, IT Security and Information Security. This is to allow for potential threats and concerns to be identified to assure that the information held or to be held in the system can be properly secured.
Although being efficient and often essential, working away from your normal workstation carries with it new security risks and so a heightened awareness of information security is necessary. You can mitigate these additional risks by following the below practices.
- Use the University's VPN.
- Access your files via SharePoint, OneDrive for Business, MyFiles, MyFiles WebDAV, Files.Warwick, M: Drive or H: Drive. Avoid using methods like Emails or unapproved cloud storage services (e.g. DropBox) as a means of accessing your work remotely.
- Do not access University information in a public place (E.g. café, public transport etc.)
- Be careful what networks you connect to. Do not use insecure, public WiFi networks. Consider using mobile data via hotspot if you cannot find a trustworthy network to connect to.
- Be careful not to leave devices unattended in public. Lost devices are a very common form of data breach.
- Do not rely on email as a method of communicating sensitive information.
- Ensure that any devices you use for remote working have adequate encryption.