Cyber attacks against higher education organisations are increasing significantly and we have seen large organisations taken offline or having to restrict their access to IT systems as a result of these attacks.

Whilst we are currently working to make sure all employees have access to a managed device, which will reduce the likelihood of such an attack, we also need to look at the personal devices which are used to access our University systems and which may introduce vulnerabilities that could be exploited by hackers.  

Additionally, the University previously held a certification called Cyber Essentials. This demonstrated that the essential security and information assurance controls were in place, and is a standard that is commonly asked for by external research parties. When the standard was updated last year it introduced requirements for BYOD that we cannot meet without compiling a register of all the BYOD devices in use.

All employees must use a managed device as their primary device. If you do not have a managed device, please contact your department admin team to arrange to receive one (via IT's end-to-end service). 

You may also use a secondary personal device if you need to as long as you don’t download any confidential information on it. You may work on confidential information in a Google document or sheet but you must not use the ‘Download’ function to save a copy on your personal device.

Postgraduate research students must register their personal devices on the BYOD asset register if they use them in any of the ways listed above. This requirement is due to their access to systems that store University information, which is not available to other postgraduate or undergraduate students.

If there is a breach or compromise of your BYOD we will need to work with you to understand what has happened and what University information or systems may be at risk. We would use any incident as a learning opportunity on how to prevent such instances in the future, rather than apportion blame.

However, we are taking this opportunity to remind everyone of their obligations to be compliant with our policy for device access to University information; making sure you are updating your software with the latest security fixes and not using BYOD to access confidential information

Confidential data is classified as ‘information that can be seen by University members on a need-to-know basis as determined by the responsible Data Owner.’

We are only asking you to record the minimum information required by the Cyber Essentials standard and to ensure your device has a basic level of security. 

For laptops and desktops: 

1. What operating system do you use?
2. Does anyone else use the device?
3. What version of the operating system is installed?
4. Do you update or patch your device regularly?
5. Do you have antivirus software installed?
6. How do you log in to your device?

For mobile phones and tablets:

1. What operating system do you use
2. Does anyone else use the device?
3. What is the manufacturer model of your device?
4. How do you authenticate to your device?
5. Do you apply patches to your device?

At the end of the device form you will be asked to confirm you agree with a set of obligations. These are there to ensure that you know that by using BYOD the University has requirements on you to keep your devices up to date with security. 

Yes, you must register all personal devices you use to access the University systems detailed above.

No, if you have more than one personal device, you will need to register them in separate submissions because we need to know specific device details. 

The University is committed to all staff maintaining a good work-life balance. If you are not required to be contacted outside of usual working hours as part of your role, consider removing work apps such as Slack or Zoom or logging out of your work email account on your personal phone. We understand this may not apply to those members of staff who need to be contacted when working around campus during work hours.

No, registering your device does not mean IT Service or anyone else at the University will be able to view, access or control it. We just need to know which devices are accessing our systems.

We are currently not planning on putting any technical limits on devices accessing our systems which are not registered on the device register. One of the key things we are trying to protect is confidential data, if you download confidential data on personal devices you will be in breach of the policy for device access to University information. 

There is currently no scope to provide additional work phones. Staff will still be able to access the systems they require for work on their personal devices. If you do register your personal device, nobody at the University will be able to access or view any content on it.

Personal devices present several security challenges to the University and when we’re asked to demonstrate that our information is kept safe and in line with external security standards required by external agencies such as our research partners.

Challenges include:

• ensuring personally owned devices comply with University policies and procedures;
• establishing what, if any, support we can provide for the wide range of device types and operating systems that an employee may want to use;
• how can we protect the University’s data, systems and infrastructure;
• how do we ensure the  personal privacy of the end-user/device owner; and
• ensuring we can meet legal, compliance and contractual obligations.

It is difficult for the University to ensure that sensitive data is kept secure, and therefore we must take steps to look at and address these risks, such as implementing policy on what type of information can and cannot be accessed on a personal device, ensuring personal devices are encrypted and offering a range of security training to staff.

Cyber Essentials is set by the National Cyber Security Centre (NCSC) as a baseline minimum standard for information and cyber security. Certification to this standard is now common in public sector backed procurement and research contracts and was something the University previously held. 

When the standard was updated last year it brought in requirements for personal devices that we cannot meet without the updated policy on device access and compiling a register of all the personal devices used. 

The new standard has two criteria that brings personal devices into scope:

1. You need to provide a summary of all laptops, computers, virtual desktops and their operating systems that are used for accessing organisational data or services and have access to the internet.
   
   For example, “We have 25 DELL laptops running Windows 10 Professional version 20H2 and 10 MacBook laptops running MacOS Ventura".
   Please note, the edition and feature version of your Windows operating systems are required. This applies to both your corporate and user owned devices (BYOD). 
   
2. All tablets and mobile devices that are used for accessing organisational data or services and have access to the internet must be included in the scope of the assessment. This applies to both corporate and user owned devices (BYOD).

The Cyber Essentials standard is updated annually and at present our policy and guidance approach is compliant with the standard, however we will need to adapt if the standard develops further. We will update everyone if further changes are required.