Accessibility statement

Policy for safe use of University information on all devices: guidance

This guidance aims to help you meet the User Commitments in the Policy for safe use of University information on all devices by describing how you must configure and manage your devices to ensure safe use of University information.

Device definitions

Related pages

Further advice

University supplied and managed devices

Devices supplied by the University and which are managed by IT Services or an approved department system administrator (contact your Departmental Computing Officer in the first instance) will have security and management requirements pre-configured before the device is issued.

You must still act to meet all the User Commitments except:

  • configuring your device (2.5)
  • deleting University information from your device (2.13)

Non-University managed devices

Includes any devices which are not managed by IT Services or an approved department system administrator (so do not have security and management features pre-configured), including those which are supplied by the University, personally owned or provided by third parties.

You must act to meet all the User Commitments and ensure you configure your device with the required security features.

Meeting your commitments

User commitment Guidance

User commitment 2.1

Users must follow the actions specified in this policy in order to meet the University’s compliance requirements. Users must check whether there are additional legal and contractual requirements for their handling of University information and take action to meet them.

Everyone has a part to play in protecting information at the University and respecting duties of care. Loss or inappropriate use of information can harm others, damage our reputation and have legal and financial repercussions for the University and for you. You must protect your own information and devices, and safeguard other people's information.

If you act in breach of this policy, or do not act to implement it, you may be subject to disciplinary procedures or other appropriate sanctions.

In addition to meeting the University's requirements described in this policy you must also meet any other legal, ethical or contractual requirements which may be imposed on specific types of information, eg by bodies providing research funding or organisations with whom you have signed contracts.

It is your responsibility to check agreements and contracts and act on any requirements.

Advice is available from the Research Innovation Office.

User Commitment 2.2

Users must ensure that University regulations, policies and guidelines are followed when any device is used to create, store, transfer, process or destroy University information.

This commitment applies as soon as you enable automatic login to any service which might access University information. This includes access to both the University Google account (email, Docs, etc) as well as your Microsoft 365 account (OneDrive, Teams, etc); you cannot control receipt of emails or sharing of documents containing confidential University information so you must act to ensure security at all times.

Confidential University information is defined in the Information Classification and Handling Scheme.

Information Policy & You provides more information on the regulations and policies which apply to managing information safely.

User Commitment 2.3

Users must consider and address the risks of using any device to access University information in order to:

It is good practice to minimise the amount of University information stored on or accessed from non-University managed devices.

Remember that you need to ensure the security of all devices which hold University information, including mobile devices such as laptops, netbooks, smartphones, tablets, USB sticks, external or removable disc drives, voice recorders and flash/memory cards. The guidance for User Commitment 2.5 provides more information on how to configure your device.

Remember to consider the security of information on mobile devices where there are no device security features available (eg on many USB sticks, voice recorders, flash/memory cards it is not possible to set up passwords or encryption). You must not use these devices for confidential information (see the University Information Classification and Handling Scheme).

More detailed guidance on securing your data is provided by IT Services:

User commitment 2.4

Users must check the security requirements for University information stored on or accessed from their devices before travelling abroad, particularly if travelling outside the European Economic Area.

Under UK GDPR, personal data can be taken and/or accessed outside the European Economic Area provided (1) access is restricted to University of York employees only and (2) data is handled in accordance with IT security requirements. 

Data security

If you have encrypted the device and the data, you may be able to travel with personal data on your device. However, there are important exceptions to this so you must always carefully consider all the potential implications before taking your device and any personal data on it abroad. Some countries do not allow entry of encrypted devices without prior permission (or at all) and most countries can insist that the device and data is un-encrypted before entry. Where this is the case, data should be stored on University of York servers (for example, Filestore, Google Drive or Microsoft OneDrive) and accessed remotely via the virtual desktop service (VDS). For further information see the Travelling abroad guidance, which explains the key points to consider in relation to travelling with University information.

User Commitment 2.5

Users must encrypt, manage and configure their devices to ensure that University information is kept secure.

This is a summary of the actions you need to take to secure your devices and the information on them. These actions must be taken before accessing or storing University information on the device. Please read this page carefully to ensure you do not miss any required actions for your device.

Accessing any service such as email, Google Drive or Microsoft 365  (OneDrive) has the potential to give access to confidential University information as you can't know when someone will send or share with you confidential information.

You must assess the risk to University data whenever you access any service and secure the device if there is a chance of confidential information being accessible.

If you do not take these actions then your device is considered insecure and you must not directly access or store confidential University information on that device. Instead, you should use the virtual desktop service (VDS) to access the data through a secure virtual machine.

Devices supplied by the University and which are managed by IT Services or an approved department system administrator will have security and management requirements pre-configured before the device is issued.

You must not store or transport confidential information on removable or external media (eg USB sticks, external or removable disc drives, voice recorders and flash/memory cards) which do not support passwords or encryption (as mandated in the University Information Classification and Handling Scheme).

For clarity we have broken down the actions into six categories:

  • Accounts, passwords and screen lock features
  • Encryption
  • Security patches and software updates
  • Virus/malware protection
  • Network settings and firewalls
  • Remote security features

Please note: Some devices will not be able to meet all the requirements detailed here. If your device does not meet all the requirements detailed here it must not be used to access confidential University information, except through the VDS.

Accounts, passwords and screen lock features

You must:

  • set up a strong password or passcode for all accounts which give access to the device
    • Passwords for accounts holding or accessing University information must not be shared with anyone, including family, friends and colleagues
    • These passwords must not be the same as your University account password
    • Use more secure options than a numeric passcode if available on your device, (eg proper password, fingerprint)
    • If the passcode can only be numeric it is recommended that you make it longer than the common default of four digits and avoid commonly guessed passcodes (eg 1234, 0000, 2580)
  • configure your device to auto-lock after a period of inactivity of no more than 10 minutes
  • disable any "smart lock" functionality on your device
    • Smart lock automatically switches off your device password/passcode under certain conditions (eg when at home or when paired with your smartwatch)
  • ensure that any administrator action (such as installing software) requires re-authenticating
    • If your device supports multiple user accounts, one way is to have a separate administrator account used only for admin purposes (ie installing software, configuring device settings). This account should have its own unique password. The other accounts used by yourself, family, friends and colleagues should only have standard user access
    • Be aware that an administrator account can potentially view any file on the device

Encryption

You must:

  • ensure that full disk encryption is enabled on your device
    • Setting up a passcode on some devices will automatically encrypt your device. However, on other devices you will need to enable encryption yourself
    • You also need to consider encryption of storage cards, eg SD cards on phones, if they contain confidential information

Security patches and software updates

You must:

  • use a device running a supported version of an operating system that receives security updates
  • keep your device up to date by installing the latest security patches and software updates for both the operating system and the installed applications
    • You should enable automatic updates where available to ensure rapid response to security flaws
    • Security flaws in Adobe Acrobat/Reader, Flash, Java and Microsoft Office are commonly exploited for malicious purposes. If you have these applications installed, it is vital that you ensure that these are checked regularly for updates

Virus/malware protection

You must:

  • install and run automatic anti-virus software on any Windows device
    • Ensure this is kept up to date
    • Ensure this has on-access scanning switched on. This automatically scans new files, running processes and memory for infections
    • A full scan should be run at least once each week using your anti-virus software
  • configure any Android device to prevent the installation of applications from unknown sources
  • configure other devices/operating systems as appropriate.

For further guidance, including recommended software, see:

Network settings and firewalls

You must:

  • configure your device so that it does not connect automatically to unknown or open wireless networks as they are often insecure
  • configure or disable any local network file sharing options on your device to prevent confidential University data from being inadvertently shared
  • enable the firewall on any Windows, OS X or Linux device

For further guidance, see:

Remote security features

Some devices offer remote lock/erase/locate features for extra security in the event your device is lost or stolen. If your device offers these features it is recommended these are enabled.

User Commitment 2.6

Users must encrypt confidential University information before sharing it and use University supported services to transmit and store it.

Accessing confidential University data

As standard good practice, if you are using a non-University managed device, whenever possible you should access confidential University information via the University's remote access facilities rather than directly.

If your device is not secure:

  • You must use the virtual desktop service (VDS) to access any confidential University information
    • The VDS gives you secure access to a virtual Windows desktop which has the same look and feel of logging on to a managed PC and does not store files on the device

If your device is secure:

  • You can use the VDS or the virtual private network (VPN) to access confidential University information stored on University managed filestores
    • The VPN is a secure connection that allows your device to access the University network when you are off campus, but it allows files to be stored on the device so is not suitable for use when your device is not secure
  • You can access files stored on Google Drive and Microsoft 365 (OneDrive) directly from a secure device

Your device is considered secure if it meets all the requirements of User Commitment 2.5.

Storing confidential University data

Confidential University data should be stored on a University managed filestore whenever possible. You must ensure that any confidential University information is only accessible to those that need it. We do not require you to encrypt data stored on a University managed filestore.

Google Drive and Microsoft OneDrive qualify as University supported services, meaning you may store confidential University data on both Google Drive and OneDrive. You must ensure that any confidential University information is only shared with those that need it.

Google provide guidance on managing the sharing settings for files and folders stored on Google Drive:

Microsoft provide guidance on managing the sharing settings for files and folders stored on OneDrive:

We do not require you to encrypt all confidential data stored on Google Drive or OneDrive. However, if you are sharing confidential data with external users then it must be encrypted first:

You should contact IT Services if you require assistance storing or managing access to confidential data.

Use of other cloud services

You must not transfer or store confidential University information using any non-University supported cloud service which does not meet information security and Data Protection requirements.

Most cloud services (eg Dropbox) are not supported by the University and do not meet Data Protection requirements.

Be aware that for unsupported services:

  • security cannot be guaranteed
  • there is a high probability that the information will be stored outside the European Economic Area or (for personal data stored under contract in the US) will not conform to the Privacy Shield Framework and will therefore not comply with legal or other requirements such as the Data Protection Act or research funder, NHS and commercial contracts.
  • when staff leave the University or are away from it for any reason, the information becomes inaccessible as no one else can access your account.

Transmitting confidential University data

If it becomes absolutely necessary to store or transmit confidential data outside of a shared filestore, Google Drive or OneDrive (eg via email, the DropOff Service) then the data must be encrypted beforehand:

It is vital you do not transmit the encryption password via the same method as the encrypted data. You should use another method to provide the password to the recipient. For example, if you are sending an encrypted file via email, you can send the password in a paper-based letter, or tell it to the recipient on the phone.

The DropOff Service is the preferred method of transmitting any data in and out of the University.

If you are sending encrypted data to someone external to the University, they must ensure that the device they use to access the data also meets the requirements of User Commitment 2.5.

User Commitment 2.7

Users must minimise the risk of inadvertently giving away their private information and access to their devices by checking that the online services and web sites they access have appropriate security features for the intended task

It is vital you perform these checks before entering any private information into a webpage, otherwise this data may be intercepted and used for malicious purposes. This would put University information at risk.

The most common situation where this applies is when inputting your University (or personal) username and password into a webpage or other online service.

Secure connections

If you have a secure connection to a webpage, the web address will begin https:// - the 's' stands for 'secure'. If the web address begins http:// then the connection is not secure.

Most web browsers will also display a padlock symbol in the address bar. This means the website has been issued an Extended Validation (EV) certificate, which normally indicates that the website is more trustworthy. Clicking on the padlock icon will display more information about the certificate, including the name of the Certificate Authority that issued it.

If in doubt, do not input any private information until you have double checked that the web page is secure. You should contact IT Services if you are unsure.

If you are using a shared device, remember to logout of the website when you have completed your transaction, and before you close the browser. Closing the browser will not necessarily log you out.

User Commitment 2.8

Users must minimise the risk of infection from malicious software by assessing whether to install a new piece of software, accept a download, or similar.

You must stop and assess whether to accept pop-ups asking to install a new piece of software, accept a download, or similar to avoid infecting your device with malicious software. Many kinds of malicious software will put the information on your device at risk.

If you say no at the time the pop-up appears, you can always change your mind later when you have checked that the software or download is legitimate.

You should contact IT Services if you are unsure.

User Commitment 2.9

Users must not leave their device unattended and unsecured where there is a risk of theft or unauthorised access.

Your devices can be considered secure from unauthorised access if you have configured them to go to a secure (password protected) auto-lock or screensaver after a period of inactivity of no more than 10 minutes (as required under User Commitment 2.5).

Any device that you have not secured from unauthorised access (eg if it's a mobile device that does not have security features available) is a high risk and must be locked in a secure place such as a drawer, cupboard or safe. You should not consider locked offices as being secure as they may be unlocked for various reasons such as cleaning.

Mobile devices are at higher risk of theft even if secured from unauthorised access and you should lock them in a secure place if there is a risk that University information will be lost. It is good practice to make sure you have a copy of the information securely stored on a University approved system.

You must carry your devices as hand luggage when travelling.

You must ensure that any company you use for hardware repair is subject to a contractual agreement which guarantees the secure handling of your device and any information stored on it.

Similar considerations apply to information in physical formats.

User Commitment 2.10

Users must not allow non-members of the University to make any use of University supplied devices (including family and friends).

University supplied devices are the property of the University and are provided to you on the understanding that you use them appropriately.

If you choose to provide non-members of the University access to University supplied devices you are putting the security of University information at risk and are therefore in violation of this Policy. It may lead to you being subject to disciplinary procedures or other appropriate sanctions (see Policy for safe use of University information on all devices: Sections 5.3 and 5.4 - Responsibilities).

User commitment 2.11

Users must control access to University information accessed from or stored on their devices.

You must ensure that University information is protected on all your devices.

Remember User commitment 2.10: Users must not allow non-members of the University to make any use of University supplied devices (including family and friends).

Non-University supplied devices

If University information can be accessed from non-University supplied devices:

  • The device must be secured by a password which is not shared with anyone else (including family, friends or colleagues)

or

  • If the device is shared, University information must be secured with a password or stored in a secure part of the device, eg by implementing a Mobile Device Management (MDM) solution which protects parts of the device from inappropriate access.
User Commitment 2.12

Users must search their devices and provide University information if required to do so by the University.

Circumstances where this might be necessary include (but are not restricted to) Subject Access Requests under the UK GDPR or Freedom of Information requests.

User Commitment 2.13

Users must securely delete University information from non-University managed devices when they have finished using the information.

As general good practice you should minimise the amount of University information stored on or accessed directly from a non-University managed device as this reduces the risk of inadvertently breaching this policy.

Whenever possible you should access confidential University information via the University's remote access facilities rather than directly.

For more information, see the guidance for User Commitment 2.6, above.

Remember that University information includes all emails (including those in the Sent folder) and attachments saved to the device.

Information on retention periods, temporary records and disposing of records can be found on the Records Management pages

User Commitment 2.14

Users must inform the University if any device holding or providing access to University information is lost or stolen, or is subject to a security incident which might have compromised the information (such as unauthorised access). This includes University and non-University supplied devices.

Remember that this includes all devices where you have an automatic login set up for access to University services (eg Google Apps, Microsoft 365, SITS).

You must contact the Computer Emergency Response Team as soon as possible.

For more information see the University Information security incident management policy.

User Commitment 2.15

Users must return University supplied devices to the University on request or when they are no longer being used for the purpose for which they were provided, and in any case before leaving the University.

University supplied devices are the property of the University and are provided to you on the understanding that you use and return them appropriately.

If you do not return the device you are putting the security of University information at risk and are therefore in violation of this Policy. You are also keeping University property inappropriately. This may lead to you being subject to disciplinary procedures or other appropriate sanctions (see Policy for safe use of University information on all devices: Sections 5.3 and 5.4 - Responsibilities).