The following page provides information on the recommended practices for protecting the confidentiality, integrity and availability of information and the systems used to handle it. By following these guidelines, you can protect yourself and others from technical, physical and personal threats to information security.
Following best practice is also necessary to comply with the requirements of University Regulation 31 governing the use of University computing facilities as well as all other information security related policies.
- Basic Device and Internet Safety
- Electronic Information Asset Protection
- Third Party Access and Outsourcing
- Information Security and Systems Development
- Working Remotely
- Using Cloud Services
Passwords are a vital tool for securing electronic information. They provide an essential defence against unauthorised access of systems, devices, accounts and files. However, if used incorrectly, passwords are subject to many different threats. Because of this, it's important to understand how to create a strong password and how to manage passwords appropriately.
Follow these guidelines when using passwords
What makes a 'secure' password
- There is no agreed upon minimum length for passwords. But you should follow the general rule that passwords that are too short are insecure. They should contain a mix of upper case letters, lower case letters, numbers and symbols. It should be memorable but not easy to guess. Avoid using any of the most common passwords
- PINs on devices should be complex and minimum 6 characters
- Documents require much longer, more complex passwords as there are no additional measures to protect them form brute force attacks..
Using passwords appropriately
- NEVER reuse your passwords for other accounts. If your account credentials get stolen, attackers will try to access other services or accounts. For example, if you have an account with an online shopping site, which gets hacked and passwords/usernames are stolen, cybercriminals will try and use those passwords and usernames elsewhere on the web in an effort to steal more information. A good way to avoid this issue is to come up with your own methodology for devising a unique password for every platform.
- Use two factor authentication to keep your accounts and devices secure if your password is ever stolen. This is available for your Warwick account.
- If you believe something has gone wrong relating to your passwords, change them immediately. You can change your Warwick password at http://warwick.ac.uk/passwords
- If you need to send a password protected attachment, send the password via a different medium to the file. For example, if sending an attachment via email, send the password via text or Skype for Business.
If you suspect that your devices have been compromised or you're experiencing problems with work devices/networks, contact the IT Services HelpDesk.
Basic computer safety
- Beware of screen watchers when working in a public place or in the vicinity of others. Be especially careful when working with sensitive information and log in details.
- Always ensure you log off from public or shared devices
- Do not click on suspicious links or attachments This is a common method of installing malicious software on your devices or stealing information. This is often conducted through phishing. See our page on phishing and social engineering for more information.
- Ensure that anti-virus software is installed and running. Ensure that your devices and software are always updated. For university managed machines, this will be handled by ITS but for unmanaged and personal devices, you may have to implement this yourself. See http://warwick.ac.uk/software/antivirus for more details.
- Only use trustworthy software. If you wish to use a new piece of software for work purposes, consult the IT Services software pages.
Basic mobile device safety
Basic internet safety
- Do not access University information or other sensitive information on unsecured/public WiFi networks. Cybercriminals may be able to monitor your activity.
- Ensure that any websites you submit information to are legitimate. Do not provide any sensitive information to untrusted sources.
- Use the Warwick campus VPN when working remotely.
- Make sure you are aware of the JANET Acceptable Use Policy. JANET is the University's internet provider and has specific conditions of use. IT Services provides further details on the use of University networks warwick.ac.uk/its/servicessupport/networkservices
Protecting your identity online
Identity theft is one of the fastest growing crimes in the UK and we are all susceptible. Here are some ways you can be safer:
The following describes the necessary practices for keeping information assets secure.
Understanding risk and responsibility
- Everyone must take an active role in identifying risks to the confidentiality, integrity and availability of information.
- Practices surrounding the handling of information must be carefully chosen taking level of risk into account. The more sensitive information is, the fewer the risks that should be accepted.
- Senior members of the University must take ownership of any risks willingly accepted by individuals in departments which they oversee.
- All individuals are responsible for following appropriate security practices when handling information.
- All individuals have a responsibility to identify risks and protect information in their area.
- Registers of the systems and devices used for the storage of information must be maintained on a departmental level. Understanding where information is kept is key to maintaining all aspects of information security.
- Business continuity plans, contingency plans and risk registers must take into account the risks surrounding loss of information or the systems used to handle it
- Departments must take responsibility for administering who has access to particular information. Access to information and systems which hold it must be regularly reviewed. Access must only be granted when there is a need for an individual to access information and access must be rescinded once that individual no longer needs to access information.
Storage and handling
- All information must be handled in line with IG05 Information Classification Policy
- University information must not be stored in local storage spaces on devices (e.g. C: Drive, D: Drive) as these are not backed up.
- University information must only be stored in locations administered by or otherwise approved by the University. Such as department shared drives (M: Drive), H: Drive, OneDrive, SharePoint or encrypted portable media devices if needed.
- University information must only be shared via services made available by, or authorised by, the University. Personal email accounts should not be used to handle University information.
- Sensitive information must only be sent via secure means. This includes SharePoint, OneDrive, Files.Warwick, as email attachments which are both encrypted and password protected or other means which have specifically been approved by Information Security.
- Sensitive information must not be sent via email unless it is contained within an attachment which is both password protected and encrypted. Or it is sent via an email encryption service which has been approved by the University.
- Remember if you plan to share personal information i.e. information which can identify a living person, you are required under the General Data Protection Regulation 2016 and Data Protection Act 2018 and the University Data Protection Policy to ensure that the other party is able to appropriately safeguard the information.
- These requirements are usually set out and agreed as part of a Data Processing or Data Sharing Agreement or similar clauses within a formal contract.
- The Information and Data Compliance Team can help with this please contact them on GDPR@warwick.ac.uk
Outsourcing and third party suppliers
The University provides 'approved' IT facilities and services. These are defined as provided directly by University staff and facilities or those provided by a third party on behalf of the University and subject to a formal legal contract and/or service level agreement.
We acknowledge that staff and students are able to access unapproved IT facilities, mostly available via the Internet, provided by third parties with which the University does not have any formal agreement. Examples of this are the use of Google Docs, DropBox and Hotmail/Gmail. There are a number of concerns associated with using unapproved third party services including:
The University also has a legal obligation to ensure that any third parties who handle its data do so in a secure manner when personal data is involved.
Because of this, it is essential that approved services are used. If you wish to use a service which has not yet been approved, you must follow the appropriate process around approving third party suppliers.
Departments will be accountable for ensuring that risks are identified and managed where University information is to be accessed or handled by third parties. This is to protect the interests of the University and continue the safeguarding of University information in line with our legal obligations.
Third party access to information and systems
A named University staff member (or named members) will be accountable for managing the access provided to a third party and their activities on the network. The named University individual(s) will ensure that obligations around acceptable use and event record keeping are understood by the third party prior to access being granted.
IT Services can advise on the standard event logging requirement to comply with our obligations under the JANET Acceptable Use Policy.
Third party access (physical or logical) will be strictly controlled and must only allow access to information or systems necessary to carry out the agreed activities. This is to reduce the risk of disclosure or theft of University information, theft or damage to equipment (intentional or accidental) or misuse of information or facilities.
Temporary guest access to the University network will be approved and facilitated by IT Services (firstname.lastname@example.org)
Development and test systems and data must be kept separate from live systems and data; live data must not be used for testing or development.
As part of the requirements gathering and testing process for new or changes to existing systems, project executives (developers, project managers, IT Services Analysts, Business Analysts or local IT/project leads) will liaise with the senior members of the University responsible for the information contained within said systems, IT Security and Information Security. This is to allow for potential threats and concerns to be identified to assure that the information held or to be held in the system can be properly secured.
Although being efficient and often essential, working away from your normal workstation carries with it new security risks and so a heightened awareness of information security is necessary. You can mitigate these additional risks by following the below practices.
- Use the University's VPN.
- Access your files via SharePoint, OneDrive for Business, MyFiles, MyFiles WebDAV, Files.Warwick, M: Drive or H: Drive. Avoid using methods like Emails or unapproved cloud storage services (e.g. DropBox) as a means of accessing your work remotely.
- Do not access University information in a public place (E.g. café, public transport etc.)
- Be careful what networks you connect to. Do not use insecure, public WiFi networks. Consider using mobile data via hotspot if you cannot find a trustworthy network to connect to.
- Be careful not to leave devices unattended in public. Lost devices are a very common form of data breach.
- Do not rely on email as a method of communicating sensitive information.
- Ensure that any devices you use for remote working have adequate encryption.
The following is guidance on the use and selection of cloud services. The University is likely to undergo a more substantial review of its approach to cloud services in the near future so this may be subject to change.
Using cloud-based services is fast becoming an ingrained part of storing, sharing and processing information. When dealing with university-related information, whether that be business information, research data, personal data, commercial information or any other form of information, you must only use services provided or otherwise approved by the University. Below is a list of what you can already use and guidance on how to get new services approved.
What can I use?
- OneDrive for Business as provided by the University, can be used for storage and sharing of data. It is ideal for individual work and more basic sharing. It also provides a reliable way of accessing documents remotely and on different devices. It also allows for easy and secure sharing of files to others. For more substantial, collaborative projects, you may wish to consider a different product however
- SharePoint as provided by the University, is in many respects similar to OneDrive however, it is more tailored to collaborative work. It's suitable for storing and sending information with the caveat that individuals and teams get prior training on using SharePoint. Training on SharePoint is available through ITS.
- M: Drive this is the shared area of Warwick's own fileshare. Normally accessed by file explorer. This is suitable for storage of files that need to be accessed by multiple people in a team. However, it is important to note that extra precautions are needed when storing sensitive information here. Such as password protection of documents, encryption and further restrictions to who can access such files. The M: Drive is not well equipped for either external sharing or collaboration on specific files.
- H: Drive this is your personal area of Warwick's own fileshare. The same principles as use of the M: Drive apply here.
- Approved software and solutions many products in use at the University are cloud based or involve use of a cloud service in some way. Provided they have gone through assessment and / or have been approved by the software team, it is acceptable for them to be used.
- Use of external cloud providers for various projects is permitted, for example in the case of research projects that require the use of AWS or Azure, provided that this has been approved.
How do I get a new service approved?
Typically, the best way of getting a new service approved from a security point of view is to follow our due diligence process and fill out an assessment form. Occasionally, some of the more basic examples of products which utilise the cloud will be approved via software requests made via ITS. These will be passed on to us if there's any risks that need looking into.
If there is any further clarity needed or you're not sure on whether a cloud service is approved, you can contact Information Security directly.
If you feel there's a valid case for an exception being made for your use of cloud services, SIM must be contacted for approval. However, it is unlikely that an exception would be made unless there is a necessary business reason for such an exception. Personal preference for similar but different tools already provided by the University is not a valid reason for an exception to be made.
Why can't I use other cloud services?
Use of unmanaged or unapproved cloud services can present a range of issues. Even in the cases of mainstream services like DropBox and Google Drive. These services might have good security measures but they still cause problems when you use them for university-related work.
- Legal issues if any third-party handles personal data, for example if you store it in a third party cloud storage platform like DropBox, agreements are often necessary to mitigate a variety of issues. For example, if you use a third party to store personal data that the university is responsible for, if something were to go wrong with the platform, the third party could absolve itself of much of the responsibility and consequently make the University suffer greater consequences as a result of the issue.
- Continuity can also be affected by the use of unapproved services. For example, a department might use DropBox to store a lot of files that continually need to be accessed. If staff members leave or login credentials are lost, there is no way for the University to retrieve that information.
- Overcomplication of processes one of the main reasons for having particular services used is for consistency and simplification of working processes. If information is hadnled on a few particular platforms, consistency in processes can be achieved across the whole institution.
- Security third party platforms that haven't been reviewed by the University may have inherent security flaws. Without the University reviewing and addressing these issues, we cannot be sure that platforms are safe to use.
- Information management practices some cloud storage platforms might not have the appropriate features for effective informaiton management for an institution like the university. An example of this is Google Drive, which may be favoured by some for personal use, but is not an efficient tool for work in the University.