This guidance aims to help you meet the User Commitments in the Policy for safe use of University information on all devices by describing how you must configure and manage your devices to ensure safe use of University information.
Related pages
- Policy for safe use of University information on all devices
- Information Classification and Handling Scheme
- Data Protection
- Records management
- For researchers: Research data management
- Information Commissioner’s Office: Online and electronic devices
Further advice
- IT Services
- Research Innovation Office (advice on contract requirements)
Devices supplied by the University and which are managed by IT Services or an approved department system administrator (contact your Departmental Computing Officer in the first instance) will have security and management requirements pre-configured before the device is issued.
You must still act to meet all the User Commitments except:
Includes any devices which are not managed by IT Services or an approved department system administrator (so do not have security and management features pre-configured), including those which are supplied by the University, personally owned or provided by third parties.
You must act to meet all the User Commitments and ensure you configure your device with the required security features.
User commitment | Guidance |
---|---|
User commitment 2.1 Users must follow the actions specified in this policy in order to meet the University’s compliance requirements. Users must check whether there are additional legal and contractual requirements for their handling of University information and take action to meet them. |
Everyone has a part to play in protecting information at the University and respecting duties of care. Loss or inappropriate use of information can harm others, damage our reputation and have legal and financial repercussions for the University and for you. You must protect your own information and devices, and safeguard other people's information. If you act in breach of this policy, or do not act to implement it, you may be subject to disciplinary procedures or other appropriate sanctions. In addition to meeting the University's requirements described in this policy you must also meet any other legal, ethical or contractual requirements which may be imposed on specific types of information, eg by bodies providing research funding or organisations with whom you have signed contracts. It is your responsibility to check agreements and contracts and act on any requirements. Advice is available from the Research Innovation Office. |
User Commitment 2.2 Users must ensure that University regulations, policies and guidelines are followed when any device is used to create, store, transfer, process or destroy University information. |
This commitment applies as soon as you enable automatic login to any service which might access University information. This includes access to both the University Google account (email, Docs, etc) as well as your Microsoft 365 account (OneDrive, Teams, etc); you cannot control receipt of emails or sharing of documents containing confidential University information so you must act to ensure security at all times. Confidential University information is defined in the Information Classification and Handling Scheme. Information Policy & You provides more information on the regulations and policies which apply to managing information safely. |
User Commitment 2.3 Users must consider and address the risks of using any device to access University information in order to:
|
It is good practice to minimise the amount of University information stored on or accessed from non-University managed devices. Remember that you need to ensure the security of all devices which hold University information, including mobile devices such as laptops, netbooks, smartphones, tablets, USB sticks, external or removable disc drives, voice recorders and flash/memory cards. The guidance for User Commitment 2.5 provides more information on how to configure your device. Remember to consider the security of information on mobile devices where there are no device security features available (eg on many USB sticks, voice recorders, flash/memory cards it is not possible to set up passwords or encryption). You must not use these devices for confidential information (see the University Information Classification and Handling Scheme). More detailed guidance on securing your data is provided by IT Services: |
User commitment 2.4 Users must check the security requirements for University information stored on or accessed from their devices before travelling abroad, particularly if travelling outside the European Economic Area. |
Under UK GDPR, personal data can be taken and/or accessed outside the European Economic Area provided (1) access is restricted to University of York employees only and (2) data is handled in accordance with IT security requirements. Data security If you have encrypted the device and the data, you may be able to travel with personal data on your device. However, there are important exceptions to this so you must always carefully consider all the potential implications before taking your device and any personal data on it abroad. Some countries do not allow entry of encrypted devices without prior permission (or at all) and most countries can insist that the device and data is un-encrypted before entry. Where this is the case, data should be stored on University of York servers (for example, Filestore, Google Drive or Microsoft OneDrive) and accessed remotely via the virtual desktop service (VDS). For further information see the Travelling abroad guidance, which explains the key points to consider in relation to travelling with University information. |
User Commitment 2.5 Users must encrypt, manage and configure their devices to ensure that University information is kept secure. |
This is a summary of the actions you need to take to secure your devices and the information on them. These actions must be taken before accessing or storing University information on the device. Please read this page carefully to ensure you do not miss any required actions for your device. Accessing any service such as email, Google Drive or Microsoft 365 (OneDrive) has the potential to give access to confidential University information as you can't know when someone will send or share with you confidential information. You must assess the risk to University data whenever you access any service and secure the device if there is a chance of confidential information being accessible. If you do not take these actions then your device is considered insecure and you must not directly access or store confidential University information on that device. Instead, you should use the virtual desktop service (VDS) to access the data through a secure virtual machine. Devices supplied by the University and which are managed by IT Services or an approved department system administrator will have security and management requirements pre-configured before the device is issued. You must not store or transport confidential information on removable or external media (eg USB sticks, external or removable disc drives, voice recorders and flash/memory cards) which do not support passwords or encryption (as mandated in the University Information Classification and Handling Scheme). For clarity we have broken down the actions into six categories:
Please note: Some devices will not be able to meet all the requirements detailed here. If your device does not meet all the requirements detailed here it must not be used to access confidential University information, except through the VDS. Accounts, passwords and screen lock features You must:
Encryption You must:
Security patches and software updates You must:
Virus/malware protection You must:
For further guidance, including recommended software, see: Network settings and firewalls You must:
For further guidance, see: Remote security features Some devices offer remote lock/erase/locate features for extra security in the event your device is lost or stolen. If your device offers these features it is recommended these are enabled. |
User Commitment 2.6 Users must encrypt confidential University information before sharing it and use University supported services to transmit and store it. |
Accessing confidential University data As standard good practice, if you are using a non-University managed device, whenever possible you should access confidential University information via the University's remote access facilities rather than directly. If your device is not secure:
If your device is secure:
Your device is considered secure if it meets all the requirements of User Commitment 2.5. Storing confidential University data Confidential University data should be stored on a University managed filestore whenever possible. You must ensure that any confidential University information is only accessible to those that need it. We do not require you to encrypt data stored on a University managed filestore. Google Drive and Microsoft OneDrive qualify as University supported services, meaning you may store confidential University data on both Google Drive and OneDrive. You must ensure that any confidential University information is only shared with those that need it. Google provide guidance on managing the sharing settings for files and folders stored on Google Drive: Microsoft provide guidance on managing the sharing settings for files and folders stored on OneDrive: We do not require you to encrypt all confidential data stored on Google Drive or OneDrive. However, if you are sharing confidential data with external users then it must be encrypted first: You should contact IT Services if you require assistance storing or managing access to confidential data. Use of other cloud services You must not transfer or store confidential University information using any non-University supported cloud service which does not meet information security and Data Protection requirements. Most cloud services (eg Dropbox) are not supported by the University and do not meet Data Protection requirements. Be aware that for unsupported services:
Transmitting confidential University data If it becomes absolutely necessary to store or transmit confidential data outside of a shared filestore, Google Drive or OneDrive (eg via email, the DropOff Service) then the data must be encrypted beforehand: It is vital you do not transmit the encryption password via the same method as the encrypted data. You should use another method to provide the password to the recipient. For example, if you are sending an encrypted file via email, you can send the password in a paper-based letter, or tell it to the recipient on the phone. The DropOff Service is the preferred method of transmitting any data in and out of the University. If you are sending encrypted data to someone external to the University, they must ensure that the device they use to access the data also meets the requirements of User Commitment 2.5. |
User Commitment 2.7 Users must minimise the risk of inadvertently giving away their private information and access to their devices by checking that the online services and web sites they access have appropriate security features for the intended task |
It is vital you perform these checks before entering any private information into a webpage, otherwise this data may be intercepted and used for malicious purposes. This would put University information at risk. The most common situation where this applies is when inputting your University (or personal) username and password into a webpage or other online service. Secure connections If you have a secure connection to a webpage, the web address will begin https:// - the 's' stands for 'secure'. If the web address begins http:// then the connection is not secure. Most web browsers will also display a padlock symbol in the address bar. This means the website has been issued an Extended Validation (EV) certificate, which normally indicates that the website is more trustworthy. Clicking on the padlock icon will display more information about the certificate, including the name of the Certificate Authority that issued it. If in doubt, do not input any private information until you have double checked that the web page is secure. You should contact IT Services if you are unsure. If you are using a shared device, remember to logout of the website when you have completed your transaction, and before you close the browser. Closing the browser will not necessarily log you out. |
User Commitment 2.8 Users must minimise the risk of infection from malicious software by assessing whether to install a new piece of software, accept a download, or similar. |
You must stop and assess whether to accept pop-ups asking to install a new piece of software, accept a download, or similar to avoid infecting your device with malicious software. Many kinds of malicious software will put the information on your device at risk. If you say no at the time the pop-up appears, you can always change your mind later when you have checked that the software or download is legitimate. You should contact IT Services if you are unsure. |
User Commitment 2.9 Users must not leave their device unattended and unsecured where there is a risk of theft or unauthorised access. |
Your devices can be considered secure from unauthorised access if you have configured them to go to a secure (password protected) auto-lock or screensaver after a period of inactivity of no more than 10 minutes (as required under User Commitment 2.5). Any device that you have not secured from unauthorised access (eg if it's a mobile device that does not have security features available) is a high risk and must be locked in a secure place such as a drawer, cupboard or safe. You should not consider locked offices as being secure as they may be unlocked for various reasons such as cleaning. Mobile devices are at higher risk of theft even if secured from unauthorised access and you should lock them in a secure place if there is a risk that University information will be lost. It is good practice to make sure you have a copy of the information securely stored on a University approved system. You must carry your devices as hand luggage when travelling. You must ensure that any company you use for hardware repair is subject to a contractual agreement which guarantees the secure handling of your device and any information stored on it. Similar considerations apply to information in physical formats. |
User Commitment 2.10 Users must not allow non-members of the University to make any use of University supplied devices (including family and friends). |
University supplied devices are the property of the University and are provided to you on the understanding that you use them appropriately. If you choose to provide non-members of the University access to University supplied devices you are putting the security of University information at risk and are therefore in violation of this Policy. It may lead to you being subject to disciplinary procedures or other appropriate sanctions (see Policy for safe use of University information on all devices: Sections 5.3 and 5.4 - Responsibilities). |
User commitment 2.11 Users must control access to University information accessed from or stored on their devices. |
You must ensure that University information is protected on all your devices. Remember User commitment 2.10: Users must not allow non-members of the University to make any use of University supplied devices (including family and friends). Non-University supplied devices If University information can be accessed from non-University supplied devices:
or
|
User Commitment 2.12
Users must search their devices and provide University information if required to do so by the University. |
Circumstances where this might be necessary include (but are not restricted to) Subject Access Requests under the UK GDPR or Freedom of Information requests. |
User Commitment 2.13 Users must securely delete University information from non-University managed devices when they have finished using the information. |
As general good practice you should minimise the amount of University information stored on or accessed directly from a non-University managed device as this reduces the risk of inadvertently breaching this policy. Whenever possible you should access confidential University information via the University's remote access facilities rather than directly. For more information, see the guidance for User Commitment 2.6, above.Remember that University information includes all emails (including those in the Sent folder) and attachments saved to the device. Information on retention periods, temporary records and disposing of records can be found on the Records Management pages. |
User Commitment 2.14 Users must inform the University if any device holding or providing access to University information is lost or stolen, or is subject to a security incident which might have compromised the information (such as unauthorised access). This includes University and non-University supplied devices. |
Remember that this includes all devices where you have an automatic login set up for access to University services (eg Google Apps, Microsoft 365, SITS). You must contact the Computer Emergency Response Team as soon as possible. For more information see the University Information security incident management policy. |
User Commitment 2.15 Users must return University supplied devices to the University on request or when they are no longer being used for the purpose for which they were provided, and in any case before leaving the University. |
University supplied devices are the property of the University and are provided to you on the understanding that you use and return them appropriately. If you do not return the device you are putting the security of University information at risk and are therefore in violation of this Policy. You are also keeping University property inappropriately. This may lead to you being subject to disciplinary procedures or other appropriate sanctions (see Policy for safe use of University information on all devices: Sections 5.3 and 5.4 - Responsibilities). |