Device security

This page provides detail from the University Security policy on the requirements about device security including information about encryption, securing devices, portable devices, using private devices, network connectivity and disposal.  

It should inform you of how to best manage such devices and the data held on them to comply with University policy. 

Security functionality

Policy Requirement

19. “The in-built security functionality available on any portable IT device e.g. mobile phone, laptop and pen drives, capable of accessing or storing University data must be operational prior to doing so.”

19.1 All available security functionality on portable devices should be implemented prior to them being used to access or store University information. Such functionality may include PIN / password / biometric access controls, encryption, find my phone / device and remote wipe. Please remember that you have an obligation to encrypt the device.

19.2 If you are unsure how to use the security functionality on your mobile device you should visit the IT Service Desk with it.

Encryption of devices

Policy Requirement

20. “All portable IT devices and removable storage devices, including those which are privately-owned and used to store University data, must be encrypted.”

20.1 Unencrypted portable IT devices present a significant security risk because they are frequently lost or stolen and it is possible for an unauthorised person gaining physical access to them to bypass the login mechanism and access the data they contain. Once they are encrypted the data is neither human nor machine readable without the decryption key, so the risk of data loss is removed.

20.2 Although some users of a portable University IT devices do not normally create or process classified data in their day to day activities, they have no control over the information that they receive, such as classified attachments to emails. For this reason all University portable IT devices must be encrypted.

20.3 The decryption key (password) needs to be strong, memorable and secure in order to prevent the encryption protection from being undermined. Never write it down and never divulge it to anyone else, other than the police / IT Security Investigations Team staff when they are undertaking a specific investigation that requires access to the laptop / device.

20.4 All University-owned laptops (Windows and Macintosh) must be encrypted in accordance with the University’s Encryption Standard. This ensures that lost keys (forgotten passwords) can be recovered and data can be accessed should it be required by the University at a time when the laptop user is unavailable.

20.5 Special arrangements need to be implemented for protecting the encryption key of Linux devices. If you are a Linux used please contact the IT Service Desk.

20.6 Any questions regarding the encryption of University-owned laptops or removable storage devices should be directed to the IT Service Desk.

Securing devices

Policy Requirement

21. “University-owned portable devices must either be held securely about the person or if unattended locked securely away.”

21.1 When travelling portable IT devices should be kept with the individual or within their sight at all times. In the event of such a device having to be left in a parked car, care must be taken to ensure that it is not left on display.

21.2 Even if portable IT devices are encrypted they should be locked away in a drawer or filing cabinet outside office hours to protect against both opportunist theft and burglary.

Use of portable devices - highly confidential data

Policy Requirement

22. University-owned portable IT devices may be used temporarily to hold Highly Confidential data. Only the absolute minimum data must be held in this manner.

22.1 If you have to keep Highly Confidential data on an encrypted portable device, such as a laptop, memory stick and other removable media, do so only on a temporary basis. Keep the volume of data to the absolute minimum required for immediate operational purposes and delete it at the earliest possible opportunity thereafter.

Security of private computers

Policy Requirement

23. “Privately-owned computers used for University work must have up-to-date security functionality.”

23.1 The University provides day to day security maintenance of work computers, which requires minimal user intervention, but it is the responsibility of individuals to ensure that their own private equipment, which is used to access University data, has adequate security provision.

23.2 Private computers need to be kept up to date with both security patches and anti-virus software. These can be set to automatically update from Microsoft for Microsoft PCs (see Additional controls such as a software firewall should be used to protect your computers and spyware and anti-spam software should also be considered for added protection.

23.3 The encryption of privately-owned Windows laptops is required if they are to be used to access University data. The in-built security BitLocker facility available through ‘Professional’ and ‘Enterprise’ versions of Windows 7 (and later) and through Windows 10 ‘Education’ is recommended. This is available through the University for home use while employed by the University. See the related article. It is important that anyone encrypting their privately-owned laptop makes a copy of their decryption key to protect against key loss.

23.4 Apple Macintosh users should ask the IT Service Desk for advice if they are unsure how to implement the in-built encryption functionality. Anyone using computers with a Linux operating system should also seek advice from the IT Service Desk.

Use of private devices

Policy Requirement

24. “Privately-owned portable devices must generally not be used to create or access classified data other than via approved access routes such as Desktop Anywhere.”

24.1 If you are using a non-University owned computer for University work make sure that no-one else can use it to view University information which is not in the public domain.

24.2 In exceptional circumstances, i.e. when there is no network connectivity, such on a remote field trip, classified information may be input to and held on a privately-owned portable device providing that device is encrypted. In such circumstances it must only be kept on the device for the shortest possible time before being securely moved to the University’s servers and deleted from the portable device.

24.3 Portable IT devices are often lost or stolen. Should they contain classified University information this could be compromised in the event of a portable device being lost or stolen unless the device is encrypted. Encryption mechanisms are generally included in modern portable devices but in many cases this has to be implemented. Encryption is automatically implemented on Apple portable devices such as iPads and iPhones. For help and advice on encrypting privately-owned portable IT equipment contact the IT Service Desk.

24.4 Data that is created or accessed on a computer is often cached by the device and with specialist software and / or skills it may be recoverable after the files associated with have been deleted, i.e. when the computer has been disposed of. This is one reason why privately-owned computers must not be used to create or access classified information except via University approved remote access mechanisms which mitigate this risk.

Network connectivity of devices

Policy Requirement

25. “Only IT equipment managed by University IT may be connected to the University wired networks.”

25.1 IT devices managed by University IT are maintained up to date with ant-virus and security patches.

25.2 Computers that are not security-managed by the University pose a risk of introducing viruses and other malware to the University network and could be exploited by others to gain unauthorised access to the University systems and data which is why they cannot be connected to the University’s wired network.

Disposal of devices

Policy Requirement

26. “All unwanted, damaged or obsolete University-owned IT devices (including computer hardware, laptops, tablets and smart phones) must be disposed of through Estates Cleaning Services.”

26.1 Computers and other IT devices contain a substantial amount of data even after files have been deleted. This will be recoverable by anyone with the required skills and tools and may result in classified data being disclosed to unauthorised persons.

26.2 Estates Cleaning Services are to be contacted to arrange for the collection of all University-owned computer hardware that is unwanted, damaged or obsolete. Such equipment is disposed of through contracts with secure disposal companies to ensure that University data at risk of disclosure is securely erased and that the University fulfils its obligations under the Waste Electrical and Electronic Equipment Directive (WEEE Regulations).

26.3 Where possible data is securely wiped from such devices before being sold on by the contractors who return revenue from proceeds to the University, but where this is not practical, components are broken down for destruction and recycling. Under no circumstances should such equipment be sold or donated to members of the University or any other organisations, including charities.