Storing University data on mobile devices

You can reduce the risk of data loss if you use a laptop, tablet or mobile device to store or access University data.

General Principles

  1. Assess the sensitivity of your data. All University data should be assessed for its sensitivity and must be categorised as either classified data (confidential and highly confidential) or unclassified data. More detailed information can be found in the University Information Protection Policy. The storage of classified data is subjected to specific controls outlined below.
  2. Undertake training to improve your understanding. The University has an e-learning information awareness course for staff that will increase your understanding of Information Security. If using University devices for storing classified data we would strongly recommend completing this course.
  3. Where possible University data should be stored on University servers. If data is stored on a laptop, tablet or mobile device it should be stored for the shortest time possible before being moved to University servers.
  4. Classified data must not be stored in the cloud unless using a University approved application.
  5. Only connect to trusted wireless networks. The University wireless network is called 'eduroam'. This network is secure; your traffic encrypted; and is also available for your use at many other HE institutions worldwide. Ensure your wireless network at home has security enabled and when using public wireless services ensure you know and trust the provider. If your wireless connection is not encrypted consider using the University Desktop Anywhere service or VPN service to securely access your data.
  6.  Ensure safe Internet browsing. When browsing the Internet ensure your web browser is displaying HTTPS when entering usernames, passwords or sensitive information.
  7. Report your device if it is lost or stolen. If your device contains University data and is lost or stolen you should report the incident to the IT Help Desk. This is in addition to your mobile provider, insurer and police where relevant.

For University owned devices

    ­
  1. University owned devices must only be used by members of the University.
  2. University owned devices must have up to date anti-virus and security updates.
  3. Classified data can be stored on encrypted University laptops. All University laptops must be encrypted in accordance with the University Encryption Standard.
  4. Classified data can be stored on encrypted University tablets. Tablets must have encryption functionality enabled. This could be inbuilt, enabled via a security setting or an App.
  5. Classified data can be stored on University mobile devices. Mobile devices must have encryption functionality enabled. This could be inbuilt, enabled via a security setting or an App. If the device cannot be encrypted, particular attention should be paid to your e-mail in-box where unsolicited classified data can sometimes be received. Any classified data should be dealt with as a matter of urgency and then deleted.

For privately owned devices

    ­
  1. Classified data must not be stored on privately owned devices. If ­classified data is received by email, it should be dealt with as a matter of urgency and then deleted.
  2. Protect your privately owned device with anti-virus and security updates. Free anti-virus software is available from the Internet from a variety of vendors. Update your device with latest security patches and operating system updates. For tablets and mobile devices Apps should be updated to the most recent versions.

For all devices

    ­
  1. ­Enable device security. Ensure your device has a password enabled (key-lock, swipe lock, pattern lock or pin number). Do not share this and keep it secret. Your device should be set to lock automatically after a period no longer than 10 minutes.
  2. Enable remote-wipe capabilities. Many tablets and mobiles devices have remote wipe capabilities that can be enabled. If a device is lost it may be possible to remotely wipe its contents.­
  3. Synchronize your email for the minimum number of days that is practical. Many mobile devices can synchronize emails for a set period of time. This can be typically three days and should be set to the lowest numbers of days that is practical for your work.

A device that has been purchased by the University or through a research grant is regarded as a University owned device. These devices are commonly managed by your faculty IT team. A privately owned device is a device that is purchased by an individual and is their private property.­­