Working practices for protecting information
The following page provides information on the recommended practices for protecting the confidentiality, integrity and availability of information and the systems used to handle it. By following these guidelines, you can protect yourself and others from technical, physical and personal threats to information security.
Following best practice is also necessary to comply with the requirements of University Regulation 31 governing the use of University computing facilities as well as all other information security related policies.
The Sections
- Passwords
- Basic Device and Internet Safety
- Electronic Information Asset Protection
- Third Party Access and Outsourcing
- Information Security and Systems Development
- Working Remotely
- Using Cloud Services
Passwords
Passwords are a vital tool for securing electronic information. They provide an essential defence against unauthorised access of systems, devices, accounts and files. However, if used incorrectly, passwords are subject to many different threats. Because of this, it's important to understand how to create a strong password and how to manage passwords appropriately.
Follow these guidelines when using passwords
What makes a 'secure' password
- There is no agreed upon minimum length for passwords. But you should follow the general rule that passwords that are too short are insecure. They should contain a mix of upper case letters, lower case letters, numbers and symbols. It should be memorable but not easy to guess. Avoid using any of the most common passwords
- PINs on devices should be complex and minimum 6 characters
- Documents require much longer, more complex passwords as there are no additional measures to protect them form brute force attacks.
Using passwords appropriately
- NEVER reuse your passwords for other accounts. If your account credentials get stolen, attackers will try to access other services or accounts. For example, if you have an account with an online shopping site, which gets hacked and passwords/usernames are stolen, cybercriminals will try and use those passwords and usernames elsewhere on the web in an effort to steal more information. A good way to avoid this issue is to come up with your own methodology for devising a unique password for every platform.
- Use two factor authentication to keep your accounts and devices secure if your password is ever stolen. This is available for your Warwick account.
- If you believe something has gone wrong relating to your passwords, change them immediately. You can change your Warwick password at http://warwick.ac.uk/passwords
- If you need to send a password protected attachment, send the password via a different medium to the file. For example, if sending an attachment via email, send the password via text or Teams.
Basic Device and Internet Safety
If you suspect that your devices have been compromised or you're experiencing problems with work devices/networks, contact the IDG HelpDesk.
Basic computer safety
- Beware of screen watchers when working in a public place or in the vicinity of others. Be especially careful when working with sensitive information and log in details.
- Always ensure you log off from public or shared devices
- Do not click on suspicious links or attachments This is a common method of installing malicious software on your devices or stealing information. This is often conducted through phishing. See our page on phishing and social engineering for more information.
- Ensure that anti-virus software is installed and running. Ensure that your devices and software are always updated. For university managed machines, this will be handled by IDG but for unmanaged and personal devices, you may have to implement this yourself. See http://warwick.ac.uk/software/antivirus for more details.
- Only use trustworthy software. If you wish to use a new piece of software for work purposes, consult the IDG software pages.
Basic mobile device safety
- Keep devices physically secure and take reasonable measures to reduce the risk of theft or loss (e.g. keeping the device on person and out of sight, don’t leave unattended in hotel rooms etc.)
- Secure access to devices using an appropriate passcode, passphrase or similar; where appropriate default settings should be changed to allow use of more advanced passcodes. PINs should be complex and no shorter than 6 numbers long. Pattern locks should be avoided.
- Set devices to automatically lock after a pre-defined period of inactivity (usually no more than a few minutes) and, where appropriate, to lock or wipe data if an incorrect password is entered too many times
- Use TLS/SSL to access University email (option when setting email account)
- Ensure synching to cloud-based services (including backup) is explicitly authorised and appropriate protection is provided
- Keep software on mobile devices up to date with the latest version
- Only install apps from trusted locations
- Be careful who can read information when viewing in public areas
- Report theft or loss of mobile devices to your department, IDG (helpdesk@warwick.ac.uk) and the police
Basic internet safety
- Do not access University information or other sensitive information on unsecured/public WiFi networks. Cybercriminals may be able to monitor your activity.
- Ensure that any websites you submit information to are legitimate. Do not provide any sensitive information to untrusted sources.
- Use the Warwick campus VPN when working remotely.
- Make sure you are aware of the JANET Acceptable Use Policy. JANET is the University's internet provider and has specific conditions of use. IDG provides further details on the use of University networks warwick.ac.uk/its/servicessupport/networkservices
Protecting your identity online
Identity theft is one of the fastest growing crimes in the UK and we are all susceptible. Here are some ways you can be safer:
- Be careful in public places when you're entering usernames and passwords - make sure no one can see what you're typing.
- Don't put any of your personal information in a shared public document
- Lock your computer when you're away from it (even for short breaks). You can do that by setting your smartphone, portable device or computer to lock with a PIN or password. That way no one can "hijack" your computer and pretend to be you.
- Always shut down your computer at the end of the day. It's not only safer that way, it's better for the environment.
- Before you submit any of your personal info online, make sure the website you're on is legitimate and won't use the information for anything that's going to harm you.
- Don't post too much information about yourself publicly, either on social media sites like Facebook, or on websites - once you've put it up online, it's very hard to remove it from the internet thanks to caching.
- Don't open any attachments or click any links in emails from people you don't know and trust - they could be part of a scam, or could install a virus on your computer. More on spam and phishing emails....
Information Asset Protection
The following describes the necessary practices for keeping information assets secure.
Understanding risk and responsibility
- Everyone must take an active role in identifying risks to the confidentiality, integrity and availability of information.
- Practices surrounding the handling of information must be carefully chosen taking level of risk into account. The more sensitive information is, the fewer the risks that should be accepted.
- Senior members of the University must take ownership of any risks willingly accepted by individuals in departments which they oversee.
- All individuals are responsible for following appropriate security practices when handling information.
- All individuals have a responsibility to identify risks and protect information in their area.
- Registers of the systems and devices used for the storage of information must be maintained on a departmental level. Understanding where information is kept is key to maintaining all aspects of information security.
- Business continuity plans, contingency plans and risk registers must take into account the risks surrounding loss of information or the systems used to handle it
- Departments must take responsibility for administering who has access to particular information. Access to information and systems which hold it must be regularly reviewed. Access must only be granted when there is a need for an individual to access information and access must be rescinded once that individual no longer needs to access information.
Storage and handling
- All information must be handled in line with IG05 Information Classification Policy
- University information must not be stored in local storage spaces on devices (e.g. C: Drive, D: Drive) as these are not backed up.
- University information must only be stored in locations administered by or otherwise approved by the University. Such as department shared drives (M: Drive), H: Drive, OneDrive, SharePoint or encrypted portable media devices if needed.
- All information must be retained, destroyed and or archived in line with the University's Records Retention Schedule.
- Email clients and inboxes must not be used as a mode of storage.
- Work areas must be kept clear of any exposed, sensitive information. E.g. physical papers containing sensitive information must not be left out on desks.
- Areas containing devices or media holding sensitive information must be kept physically secure. Doors and windows should be locked when unattended. Access must be restricted for all but authorised personnel.
- Dispose of paper containing sensitive information either by cross-cut shredding or placing in the provided confidential waste cabinets or bags.
Sharing information
- University information must only be shared via services made available by, or authorised by, the University. Personal email accounts should not be used to handle University information.
- Sensitive information must only be sent via secure means. This includes sharing via SharePoint and OneDrive or as email attachments which are both encrypted and password protected or other means which have specifically been approved by Information Security Risk & Compliance.
- Sensitive information must not be sent via email unless it is contained within an attachment which is both password protected and encrypted. Or it is sent via an email encryption service which has been approved by the University.
- Remember if you plan to share personal information i.e. information which can identify a living person, you are required under the General Data Protection Regulation 2016 and Data Protection Act 2018 and the University Data Protection Policy to ensure that the other party is able to appropriately safeguard the information.
- These requirements are usually set out and agreed as part of a Data Processing or Data Sharing Agreement or similar clauses within a formal contract.
- The Information and Data Compliance Team can help with this please contact them on infocompliance@warwick.ac.uk
Third Party Access and Outsourcing
Outsourcing and third party suppliers
The University provides 'approved' IT facilities and services. These are defined as provided directly by University staff and facilities or those provided by a third party on behalf of the University and subject to a formal legal contract and/or service level agreement.
We acknowledge that staff and students are able to access unapproved IT facilities, mostly available via the Internet, provided by third parties with which the University does not have any formal agreement. Examples of this are the use of Google Docs, DropBox and Hotmail/Gmail. There are a number of concerns associated with using unapproved third party services including:
- Who may have access to user data
- How user data is used
- Where user data is stored
- How securely user data is stored
- How viable the facility will be in the long term
- Whether user data will be recovered in the event of a disaster
- How much support will be provided in the event of a problem
The University also has a legal obligation to ensure that any third parties who handle its data do so in a secure manner when personal data is involved.
Because of this, it is essential that approved services are used. If you wish to use a service which has not yet been approved, you must follow the appropriate process around approving third party suppliers.
Departments will be accountable for ensuring that risks are identified and managed where University information is to be accessed or handled by third parties. This is to protect the interests of the University and continue the safeguarding of University information in line with our legal obligations.
Third party access to information and systems
A named University staff member (or named members) will be accountable for managing the access provided to a third party and their activities on the network. The named University individual(s) will ensure that obligations around acceptable use and event record keeping are understood by the third party prior to access being granted.
IDG can advise on the standard event logging requirement to comply with our obligations under the JANET Acceptable Use Policy.
Third party access (physical or logical) will be strictly controlled and must only allow access to information or systems necessary to carry out the agreed activities. This is to reduce the risk of disclosure or theft of University information, theft or damage to equipment (intentional or accidental) or misuse of information or facilities.
Temporary guest access to the University network will be approved and facilitated by IDG (helpdesk@warwick.ac.uk)
Information Security and Systems Development
Development and test systems and data must be kept separate from live systems and data; live data must not be used for testing or development.
As part of the requirements gathering and testing process for new or changes to existing systems, project executives (developers, project managers, Business Analysts or local IT/project leads) will liaise with the senior members of the University responsible for the information contained within said systems and Information Security Risk & Compliance. This is to allow for potential threats and concerns to be identified to assure that the information held or to be held in the system can be properly secured.
Working Remotely
Although being efficient and often essential, working away from your normal workstation carries with it new security risks and so a heightened awareness of information security is necessary. You can mitigate these additional risks by following the below practices.
- Use the University's VPN.
- Access your files via SharePoint, OneDrive, MyFiles, MyFiles WebDAV, M: Drive or H: Drive. Avoid using methods like Emails or unapproved cloud storage services (e.g. DropBox) as a means of accessing your work remotely.
- Do not access University information in a public place (E.g. café, public transport etc.)
- Be careful what networks you connect to. Do not use insecure, public WiFi networks. Consider using mobile data via hotspot if you cannot find a trustworthy network to connect to.
- Be careful not to leave devices unattended in public. Lost devices are a very common form of data breach.
- Do not rely on email as a method of communicating sensitive information.
- Ensure that any devices you use for remote working have adequate encryption.
- For further details refer to IS10: Mobile and Remote Working Policy.
Use of Cloud Services
The following is guidance on the use and selection of cloud services. The University is likely to undergo a more substantial review of its approach to cloud services in the near future so this may be subject to change.
Using cloud-based services is fast becoming an ingrained part of storing, sharing and processing information. When dealing with university-related information, whether that be business information, research data, personal data, commercial information or any other form of information, you must only use services provided or otherwise approved by the University. Below is a list of what you can already use and guidance on how to get new services approved.
What can I use?
- OneDrive for Business as provided by the University, can be used for storage and sharing of data. It is ideal for individual work and more basic sharing. It also provides a reliable way of accessing documents remotely and on different devices. It also allows for easy and secure sharing of files to others. For more substantial, collaborative projects, you may wish to consider a different product however
- SharePoint as provided by the University, is in many respects similar to OneDrive however, it is more tailored to collaborative work. It's suitable for storing and sending information with the caveat that individuals and teams get prior training on using SharePoint.
- M: Drive this is the shared area of Warwick's own fileshare. Normally accessed by file explorer. This is suitable for storage of files that need to be accessed by multiple people in a team. However, it is important to note that extra precautions are needed when storing sensitive information here. Such as password protection of documents, encryption and further restrictions to who can access such files. The M: Drive is not well equipped for either external sharing or collaboration on specific files.
- H: Drive this is your personal area of Warwick's own fileshare. The same principles as use of the M: Drive apply here.
- Approved software and solutions many products in use at the University are cloud based or involve use of a cloud service in some way. Provided they have gone through assessment and / or have been approved by the software team, it is acceptable for them to be used.
- Use of external cloud providers for various projects is permitted, for example in the case of research projects that require the use of AWS or Azure, provided that this has been approved.
How do I get a new service approved?
Typically, the best way of getting a new service approved from a security point of view is to follow our due diligence process and fill out an assessment form. Occasionally, some of the more basic examples of products which utilise the cloud will be approved via software requests made via IDG. These will be passed on to us if there's any risks that need looking into.
If there is any further clarity needed or you're not sure on whether a cloud service is approved, you can contact Information Risk and Compliance directly.
If you feel there's a valid case for an exception being made for your use of cloud services, Information Risk and Compliance must be contacted for approval via the Exceptions process. However, it is unlikely that an exception would be made unless there is a necessary business reason for such an exception. Personal preference for similar but different tools already provided by the University is not a valid reason for an exception to be made.
Why can't I use other cloud services?
Use of unmanaged or unapproved cloud services can present a range of issues. Even in the cases of mainstream services like DropBox and Google Drive. These services might have good security measures but they still cause problems when you use them for university-related work.
- Legal issues if any third-party handles personal data, for example if you store it in a third party cloud storage platform like DropBox, agreements are often necessary to mitigate a variety of issues. For example, if you use a third party to store personal data that the university is responsible for, if something were to go wrong with the platform, the third party could absolve itself of much of the responsibility and consequently make the University suffer greater consequences as a result of the issue.
- Continuity can also be affected by the use of unapproved services. For example, a department might use DropBox to store a lot of files that continually need to be accessed. If staff members leave or login credentials are lost, there is no way for the University to retrieve that information.
- Overcomplication of processes one of the main reasons for having particular services used is for consistency and simplification of working processes. If information is handled on a few particular platforms, consistency in processes can be achieved across the whole institution.
- Security third party platforms that haven't been reviewed by the University may have inherent security flaws. Without the University reviewing and addressing these issues, we cannot be sure that platforms are safe to use.
- Information management practices some cloud storage platforms might not have the appropriate features for effective information management for an institution like the university. An example of this is Google Drive, which may be favoured by some for personal use, but is not an efficient tool for work in the University.