Related pages
This policy applies to staff, postgraduate research students, associates, and anyone else using endpoint devices (e.g laptops, desktops, mobile or tablet devices) to access University IT services and University information.
This policy explains what you need to do to make sure University information is safe when you are accessing, storing or managing it.
1.1 Information handling
1.1.1 The University aims to facilitate the utilisation, exchange and storage of information; across the University and with external bodies or organisations, while appropriately protecting its confidentiality, availability and integrity.
1.1.2 This policy acknowledges that the University is responsible for ensuring that information handling complies with legal, and contractual and ethical requirements, regardless of the means by which University information is accessed.
1.1.3 All information processing must consider and address the risks of using any device to access University information in order to:
1.1.4 Any security incident which may impact on the confidentiality or integrity of University information (not restricted to personal information) eg;
must be reported (cyber-incident@york.ac.uk) and subject to a security review to establish any factors that may compromise the devices or information
1.2 User requirements
1.2.1 Users must follow the actions specified in this Policy to meet the University's compliance requirements. Users must check whether there are additional legal and contractual requirements for their handling of University information and take action to meet them.
1.2.2 Users must ensure that University regulations, policies and guidelines are followed when any device is used to create, store, transfer, process or destroy University information. Guidance for policy for safe use of University information on all devices provides advice on how users can meet their obligations.
1.2.3 All Users must check the data protection and security requirements for University information stored on or accessed from their devices before travelling, particularly if travelling outside the European Economic Area.
1.2.4 Users must ensure that they adequately protect any Restricted or Confidential University information before sharing it, and use University supported services to transmit and store it.
1.2.5 Users must control access to University information accessed from or stored on their devices, it is not permitted to allow family or other individuals not connected to the University to access University provided devices.
1.2.6 Users must not leave their device unattended and unsecured where there is a risk of theft or unauthorised access.
1.2.7 Users must inform the University if any device holding or providing access to University information is lost or stolen, or is subject to a security incident (such as unauthorised access), which might have compromised the information.
1.3 Endpoint Protections
1.3.1 Any loss of device (eg theft, misplaced) which may have been hosting or providing access to University information must be reported to the University; cyber-incident@york.ac.uk, as soon as practically possible.
1.3.2 University devices
1.3.3 Bring Your Own Device (BYOD)
1.3.4 Third Party Device
1.4 Device monitoring and access
1.4.1 The University may deny or restrict access to University information from devices which are not registered with or can provide security assurances upon connections, this is to protect the integrity and availability of University information and services.
1.4.2 The University may scan any device used to access the University’s network or information to look for threats and to ensure information security.
1.4.3 When a threat is identified through automatic scanning of any device the University will investigate further and at its discretion may clean the device before it may be used to access the University network.
1.4.4 The University will actively prevent network and information access to any device that it has assessed and considers to be a risk to the network, IT service or information security.
1.4.5 Restrictions may be applied through assessment of devices as they connect to the university networks, and may include the imposition of configuration requirements for users to apply to devices, requirements to update software or the requirement to run managed security software.
1.5 The University may require users to give representatives access to University information stored on personally owned or third party owned devices.
1.6 The University provides guidance to help users implement this policy
1.6.1 Guidance for policy for safe use of University information on all devices
2.1 The Information Security Board, chaired by the Director of IT Services, will monitor the effectiveness of this policy and carry out regular reviews.
3.1 All users of University information are responsible for complying with this policy and other University policies for the protection of information and ensuring the security of the information to which they have access.
3.2 University Officers, Heads of Departments and Section Heads are responsible for ensuring that all information in their area is managed in conformance with this policy.
3.3 Users who act in breach of this policy, or who do not act to implement it, may be referred for further action following the University’s Disciplinary procedure and guidelines.
3.4 Any violation of this policy must be reported to the Head of Cyber Security, or their nominee, who will take appropriate action and inform the relevant authorities.
This document, together with related guidance is available at:
4.1.1 University Information Policy index
4.1.2 Guidance on this policy
4.1.3 Information Classification and Handling Scheme
4.1.4 University Regulation 11: Using University Information
20 April 2015 | Approved by Information Security Board |
---|---|
December 2017 | Approved by Information Security Board |
24 January 2023 |
Renamed from “Policy for safe access and use of University information” Approved by Information Security Board |
Review cycle: Annual
Date of next review: January 2024