This page contains guidance on accessing and sharing classified data, meeting 3rd party security requirements, locking computers and complying with the password policy.
Policy Requirement
10. “Classified information may only be accessed and shared where necessary for the conduct of University business and only with appropriate authorisation.”
10.1 Access to classified information must be restricted to staff who need to know it in order to fulfil their role at the University. Careful consideration needs to be given to how the business requirements of the University will benefit by sharing classified data with others before doing so.
10.2 Line managers of staff moving department or changing role are responsible for ensuring that computer account permissions, such as access to N: Drive file shares, are removed when those staff no longer have a business need to access particular information.
Policy Requirement
11. “Before transferring classified data to or from a third party a Data Processing Agreement or Data Sharing Agreement signed by both parties must be in place.”
11.1 Where classified data is entrusted to a third party to process that data for the University for example, for application or systems / service support purposes, a Data Processing Agreement is required. The Agreement will stipulate the specific controls that are to be applied and adhered to by the Data Processor to in order to ensure the security of that data.
11.2 Where there is a need to share classified data with a third party, allowing that third party to process that data not just for the University’s purposes, for example, when research staff are working collaboratively with staff at other institutions, a Data Sharing Agreement will be required.
11.3 All Data Processing Agreements are to be registered and filed with the correct authority:
Please consult the Secretariat if you require further guidance.
Policy Requirement
12. “Classified research data can only be shared in accordance with University, funder and project requirements, and as specified within ethical and contractual agreements and in most cases a signed Data Sharing Agreement.”
12.1 The Principal Investigator (PI) of any given research is responsible for implementing a Data Sharing Agreement, where required, before sharing any classified research data with an external institution or other body, and for adhering to any funder, ethical and contractual agreements before doing so.
12.2 In doing so the PI is responsible for ensuring that the recipient of any University classified research data fully understands the controls that need to be applied to ensure the security and availability of the data and provides confirmation that those controls will be implemented.
12.3 Please contact your IT Business Relationship Manager via the IT Service Desk if specific advice is required as to the security controls that are required to be implemented at a third party organisation.
Policy Requirement
13. “All third party security requirements concerning information that has been shared with the University must be implemented as agreed at the time of transfer.”
13.1 All agreed requirements and security controls specified by third parties who share their classified information with the University must be adhered to.
13.2 Should you require assistance to comply with any specific conditions that are required you should contact your IT Business Relationship Manager via the IT Service Desk as appropriate.
Policy Requirement
14. “Only approved methods of external access can be used to access University IT systems and services.”
14.1 In order to protect University information from compromise and protect University computer systems and services from unauthorised access and malware, the University only allows external connectivity to its network through approved means.
14.2 No means of external connectivity other than those shown below are to be used to access University systems and services without written permission from IT:
Ø Desktop Anywhere; and,
Ø Virtual Private Network (VPN) – only for use by University owned and IT managed devices.
14.3 The use of Remote Desktop Protocol (RDP) or similar protocols used to remotely access desktops requires explicit authorisation from IT.
14.4 When using Desktop Anywhere you can access a number of services depending on your role and permissions in addition to your University email, M: Drive, N: Drive and University websites that are not openly accessible from off the campus wired network.
14.5 With Desktop Anywhere, it is as though you are sat at your work computer on campus. Although files and data are viewed on your monitor they never actually leave the University systems and the information is not cached on the client (accessing) computer. More information and details of how to set up Desktop Anywhere can be found in the related articles.
Policy Requirement
15. “Password protection must be used to prevent unauthorised access to all University computer systems.”
15.1 Locking your computer when leaving it unattended, even for a short period, prevents unauthorised access to data on an opportunistic basis and protects you from misuse of your account by anyone taking advantage of the unlocked machine.
15.2 To lock your Windows computer press Ctrl, Alt and Delete at the same time and select ‘lock this computer’. Equivalent mechanisms are available for non-Windows devices. Always log off and shut down your computer at the end of the working day.
15.3 Cluster PCs cannot be locked as other users would be deprived access to a locked PC. Students are required to log off a cluster PC before leaving it unattended.
Policy Requirement
16. “All University members must comply with the University Password Policy. University passwords are to be kept secret, never divulged or shared, and never reused elsewhere.”
16.1 Passwords must be strong but memorable and based upon the parameters of the University Password Policy, see related articles for more information.
16.2 Never use the same password that you use to access University systems for accessing external sites. The University has no control over the security of an external site and if such a site hosting your password is hacked the attacker could potentially access University data if you are using the same password.
16.3 If you need a secretary, personal assistant or colleague to monitor your emails, even if just for a period of leave, provide them with delegated access rights to your mailbox.