This page contains guidance on the security of data, including storage of classified data, cloud services, using the M: drive and storing data where you need to give access to other people.
Policy Requirement
27. “Unclassified and Confidential University data must be kept on the University servers or in approved cloud services such as Office 365”
27.1 Unclassified and Confidential University data must be kept on University servers or University approved cloud services so that it is backed up with an off-site copy. When data is held on local disks or on other storage where there is no formal backup and off-site storage arrangements it is at risk of being lost in the event of disk failure or an event such as fire or flood.
27.2 Highly Confidential data must be encrypted if kept in Office 365 or kept in encrypted folders on the N: drive. If Highly Confidential data is not to be shared it can be kept on your M: Drive unencrypted.
Policy Requirement
28. “The use of non-University approved cloud services for the storage of ANY University data, including that which is unclassified, is forbidden without formal approval from IT.
28.1 University data can only be stored or processed in cloud services which have been formally approved by the University. Only the suite of Office 365 products that the University has subscribed to can be used for the storage of University data. These are Office 365 email, SharePoint, OneDrive and OneNote.
28.2 No University data can be stored or processed in cloud services such as Dropbox, iCloud, Amazon and Google without formal approval from IT.
28.3 Only use University approved cloud services for the storage or processing of data of such criticality that functions or operations would be not be disrupted should it be lost or become unavailable or corrupted.
Policy Requirement
29. “The M: Drive should be used for the storage of data, including Highly Confidential data that is not to be shared.”
29.1 The M: Drive is your own file storage area and if you store files in that location they are not accessible to other members of your work area. By placing work-related files in your M: Drive that are needed by other members of staff you are denying access to others and that could disrupt University business.
29.2 However, by the same token, Highly Confidential data that is stored in your M: Drive is not accessible by others and as such does not need to be encrypted.
Policy Requirement
30. “The N: Drive or SharePoint or OneDrive should be used for the storage of data that needs to be shared. If Highly Confidential information is kept in these shared storage areas it must be encrypted.”
30.1 There are no restrictions over the storage of unclassified data that needs to be shared. However, if such data is critical or time-costly to recreate you will need to ensure that the data concerned is not the sole copy.
30.2 If you need to store Confidential data in the N: Drive you need to make sure that file permissions are restricted to the minimum members of staff who need access to that information for University purposes, and that permissions are removed when staff change roles.
30.3 Where Highly Confidential data stored in SharePoint or OneDrive needs to be shared with other individuals the decryption / encryption key (password) needs to be divulged to them verbally or via text message, not via email.
30.4 If you need to store Highly Confidential data in the N: Drive you will need to make arrangements for the folders and files to be encrypted as well as restricted to the minimum members of staff who need access to that information for University purposes.
30.5 All requests for the encryption of folders on the N: Drive should be directed to the IT Service Desk.