This article will provide the transcript for the Information Security module of the Information Governance training offered for University Staff, Postgraduate Researchers, Contractors and Visitors who have access to University information.
The transcript available in this article is also available for download in both PDF and DOCX (Word) formats; they can both be found under Attachments.
The Information Governance Training also includes the Data Protection module. The transcript for the Information Security module can be found in the knowledge base article KB0016914 or by clicking on this link.
This module offers guidance on a variety of topics related to IT Security.
We'll investigate the different types of information, the relevant legislation, why passwords are important and best practice when using the internet and email. We'll also explore where to store electronic information and the issue of viruses and other malicious software and mobile computing.
Information resources are vital to the University of Leeds. Their confidentiality, integrity and availability are essential in maintaining service levels, ensuring legal compliance and safeguarding the public image and perception of the University.
It is important that people are able to trust an organisation to act appropriately, both when obtaining and holding information. It is similarly important that information owned by other organisations made available under legal and legislative requirements is also treated appropriately.
Every organisation that uses or provides information resources has a responsibility to maintain and safeguard them, and also to comply with the laws governing the processing and use of information and communications technology.
Every organisation must take security very seriously, and that relies on all staff, postgraduate researchers and students playing their part. Everyone is personally responsible for following the requirements set out in the organisation's Information Protection Policy.
Information comes in many formats:
Information security, by definition, is the protection from a loss of three things:
Information is the life blood of any organisation, and without information of any sort the institution would cease to exist.
It is essential that information is protected in order for the organisation to carry on performing its function.
The Information Protection Policy is the document that specifies how the University of Leeds will apply information security.
It outlines what risk level is accepted and the responsibilities of staff and every person or organisation covered by the policy.
The use and storing of information by an organisation is controlled by certain Acts of Parliament. There are obligations for the University of Leeds and its employees that need to be followed. Let's look at some key information under some of these Acts.
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 give rights to individuals about whom personal data is stored (Data Subjects). They may obtain personal data held about themselves, should be told about the use of personal data, and can expect it to be accurate.
The legislation places obligations on those who store and use personal data (Data Controllers and Data Processors). They must follow sound and proper practices, known as the Data Protection principles.
Principle 6 requires that you have appropriate security measures in place to protect the personal data you hold.
The legislation affords individuals a number of rights; any such requests should be forwarded to the University's Information Governance Team.
Requests to view personal data must be treated as disclosures to third parties under UK GDPR. To share information with a third party under UK GDPR:
Adequate precautions should be taken against the falsification of records and to discover any falsification that occurs.
Software licence compliance requires all software used within the organisation to be legally licensed.
If an organisation is using illegal copies of software, the organisation may face not only a civil suit but individual employees may have criminal liability. If liability is proven this could lead to an unlimited fine and up to ten years' imprisonment per offence.
Makes it illegal to gain unauthorised access to a computer.
The act is made up of three separate offences:
Copyright protects material, and the law applies to any medium. This includes literature, art, music, sound recordings, films and broadcasts.
This means you must not reproduce copyright protected work in the same or another medium without permission. For example, publishing photographs on the internet, or making a sound recording of a book.
Trading standards officers now have a general responsibility for the enforcement of copyright infringement. This gives them the right to make test purchases and to seize goods and documents.
In order to effectively enforce copyright law, an organisation must be 100% compliant.
Very little software is free for corporate use. Software companies often grant a licence for their software to be used at home (for non-commercial purposes) but this does not mean it is free to use for work purposes.
The corporate market is where software companies make their money. Licences must be checked to see what they can be used for.
The activities of a business organisation are obviously considered to be commercial, and therefore software licences must be purchased.
Aside from licensing issues, there are the costs of support - both internal and external. This can change the total cost of owning software and the 'cheap' software may in fact turn out to be more expensive.
Take a moment to think about the reasons why your employer doesn’t allow you to install unlicensed software onto your work computer.
This policy helps to ensure that the organisation is obeying relevant licensing and copyright legislation, whilst safeguarding against viruses and other problems.
This component displays an image gallery with accompanying text. Use the next and back navigation controls to work through the narrative.
Each user of a University computer system should be issued with their own username and password. The username identifies who you are, the password verifies your identity.
All actions on the computer network are logged under the username that performed them. If someone has your password they can pretend to be you; for example, they can send emails and create, modify or delete files.
Even sharing a password temporarily can give that person an indication of how you select your passwords, enabling them to guess it in the future.
If something is done in your name, it will be very hard to prove it wasn't you.
Some organisations insist that passwords are changed every 90 days, however the National Cyber Security Centre advise that frequent password changes make it more likely that people will write passwords down, which is poor practice.
If your account has been accessed by anyone other than yourself, you must change your password immediately. This change stops someone who has already compromised an account from continuing to gain access.
Passwords must be difficult to guess. Never choose one that can be easily guessed by another person.
University policy is that passwords must be at least eight characters long, including a number, and should contain mixed case letters to provide better security.
Passwords should not be reused, follow an obvious pattern and must be significantly different from previous passwords.
Below is a component which allows you to select hot spots over an image. Select a hot spot to trigger a popup that includes an image with display text. Select the close button to close the popup.
Do not just capitalise the first character or add a number to the end. A good password will contain characters from each of the following categories:
When selecting a password, it is advisable not to:
Many organisations including the University now use two-factor authentication alongside passwords, sending a code to a separate device for the user to enter as an extra layer of protection. The University of Leeds uses DUO Multi Factor Authentication. All users of University systems must be enrolled with DUO.
Social engineering is a method used to get people to divulge confidential information, such as their username and password. In most cases it can be performed over the phone, text, or email.
People asking questions of an unusual or personal nature, or even just asking for your username and password to perform a business function.
A social engineer that wants to get into a specific network can spend months building a relationship with a person in order to get personal information to log into that network.
A more common form of social engineering is where you will receive an email asking you to click on a link to update some information. The emails may look like they come from a bank or some such and can look very familiar, however, the link takes you to a fake website which will supply any details that are entered to unauthorised people. This is known as 'phishing’ and is a threat to you at home as well as in work.
University managed computers have an automatic timeout that will lock the computer. To help ensure your user account is not used by anyone else, you must always lock your computer when you are away from it. This is a simple, effective IT security measure you can do yourself. If you leave the computer do not wait for the automatic timeout, you must lock it yourself.
The computer must also be closed down properly at the end of each day.
Have a look at the passwords below and decide whether each is an example of a good or bad password.
From the list, the following adhere to the recommendations for selecting a secure password:
If you are unsure about selecting a secure password, read this section again.
Which of these tactics should you use to remember your password?
The correct answer is 3.
Use a simple formula for calculating your password so only you know the correct combination of letters, symbols and numbers. Make sure you don't need to write it down anywhere to remember it.
The loss of data can cost an organisation thousands of pounds through recovering the data and notifying individuals of personal data loss. Further impact includes the costs of:
Some of the types of data that may be held:
It is important that these kinds of details remain secure, for everyone's benefit.
To access the computer storage areas double-click the This PC icon. If it is not a shortcut on the desktop, open the Start Menu to find it.
There are usually a variety of file storage drives, as shown by the different icons on the screen.
When you save documents, there are specific areas you should and should not use. The University’s Information Protection Policy will provide further information, including how to assess and categorise your data.
Further guidance as to the storage of data can be found at dataprotection.leeds.ac.uk.
University network storage is backed up regularly. This means the files stored here are available for use in business areas when needed.
Network storage also allows for consistent access rights to be assigned to files, ensuring that only authorised people can access them. Confidential and personal information should be disposed of in a way that ensures it cannot be read or used when the organisation does not require it anymore. This includes paper documents and electronic data.
Further information on the disposal of information is available on the data protection website.
Removable media can be used to store large amounts of data. However, it is generally small and portable and can be easily lost.
Most data on removable media is unprotected and can be accessed by unauthorised people.
For more information on the use of memory sticks, CDs and floppy disks see the University's Information Protection Policy.
Many organisations have a 'clear desk' requirement whereby all desks must be cleared at the end of each day. However, data must not be left on desks unattended regardless of this.
All personal or sensitive data should be locked away when not in use.
Passwords and other items of sensitive information are sometimes written on post-it notes and even taped to the computer screen. Needless to say, you should never do this.
Never leave your desk with your computer unlocked. This means someone could look at personal and sensitive files and emails, and even send an email as the person logged in.
You should never leave a USB stick in the USB drive. This could contain personal or sensitive business data.
It is also bad practice to leave sensitive papers or folders lying around on your desk, especially those relating to highly confidential data.
The internet is a very useful resource but comes with many risks to any organisation. It opens the organisation's computer network up to a series of untrusted networks where content can be viewed or copied.
The internet is unregulated and this means any type of content is available. Illegal software, music and inappropriate images are some of the content that a business has a responsibility to ensure does not get downloaded.
This type of content contravenes most organisations' information security policies, and thus companies should do everything they can to prevent such content getting on their network.
The internet can be easily misused, resulting in thousands of pounds in lost productivity.
Access to the internet is provided at work to help you to do your job more efficiently and effectively. This can be for a variety of reasons, for example visiting websites for fact-checking purposes, or accessing online systems.
However, you must familiarise yourself with the University’s IT Acceptable Use Policy to understand your responsibilities. This includes:
In most organisations, access to the internet is filtered to protect yourself and the organisation. Use of the internet is often logged and monitored, so that it is possible to identify sites visited by individual users.
Employees aren't typically allowed to download programs or software from the internet. Should you have a genuine business need for additional software you must request this from your IT department.
Appropriate licenses and support must also be in place for all software.
Limited private use of the internet will often be allowed if it:
Some examples of internet misuse might be:
Email is legally treated the same as a company letter; it can be used to form contracts and conduct official business.
Emails that contain unsuitable content can result in legal action against the organisation. This includes email attachments.
Email can be misused - resulting in lost productivity.
Only your assigned University of Leeds email account can be used for the sending and receiving of University-business related emails.
You must process your emails within the University managed Outlook application.
Email is one of the primary communication channels within the University. All users are expected to check their mailbox box regularly, ensure permissions and rules are reviewed at least annually and data is held in line with retention schedules.
Email accounts not used within a period of thirteen months will be lapsed unless IT are informed by the relevant line manager or supervisor of the long-term absence of the user.
The use of University email accounts for sending and receiving personal emails should be avoided.
University emails must not be used to register for personal service providers such as Amazon or utility suppliers.
Malware is software that is designed to infiltrate or damage a computer system without the owner's consent; it is made up of the words 'malicious' and 'software'.
The most familiar type of malware program is a computer virus. However, there are many other types of malware, for example:
All of them will perform an action on your computer that you have not authorised. Sometimes this will be a malicious action such as deleting files and stealing information and at other times it will be to generate income for someone else.
Which of the following is most likely to infect your computer with a virus?
If you answered 1, inserting removable media from an unchecked source, then you were correct. The most likely source of a computer virus is by inserting removable media from an unchecked source.
Around 50% of all virus infections come from removable media such as memory sticks that have been plugged into computers without adequate protection.
Mobile computing offers new types of threats to corporate networks. It allows people access to the network from outside the protected working environment. Threats include:
Mobile computing also means that information may be transmitted over an insecure public network.
The only devices that can be connected to the University wired network are corporately approved devices that have been risk assessed.
Personal equipment may not be protected to the same extent as University equipment. This means that accessing the University’s systems from a personal device could cause the introduction of viruses and other malware, or unauthorised software and files getting onto the network. This could in turn cause damage to the network and files and be extremely costly to recover.
Confidential data can also be copied to an insecure device if it is connected to University equipment. This confidential data will not then be subject to the same control and is more likely to be accessed by unauthorised people.
An information security incident occurs when there is a compromise, potential compromise or unauthorised use of University data or physical assets.
The University incident reporting procedure gives you more details of when and how to report an incident. This can be found on the Secretariat webpages.
Information security incidents can give rise to embarrassment, financial loss, non-compliance with standards and legislation, as well as prosecutions against the business.
It is a requirement to report all security incidents, so that they can be dealt with quickly and efficiently. Incident reports will also help to identify where future improvements in security can be made.
An information security incident occurs when there is a compromise, potential compromise or unauthorised use of University data or physical assets.
It is really important that all actual or suspected data security breaches are reported immediately.
The reporting process is as follows:
Breaches of the Information Protection Policy could result in disciplinary action or even prosecution.
The University's disciplinary process may be invoked for a breach of the Information Protection Policy. The type of action taken will reflect the nature of the breach and could result in dismissal.
Breaches of the Information Protection Policy could lead to incidents that affect customers, suppliers or a third party.
This could in turn lead to action in the civil courts resulting in fines for the University and/or in some cases, as with copyright breaches, a criminal case and potentially a jail sentence.
Users could also be individually responsible for their actions, for example in copyright breach.
The purpose of information security is to protect data, equipment, people and the business.
If any users contravene University policies, then they risk their accreditation with a professional body and their employment prospects.
During the course of the module, we have covered:
The following questions are based on what we have covered in this module. The answers can be found below, after the final question.
This component is a multiple-choice question. Once you have selected an option select the submit button below
Which of the following are integral to information security?
Your organisation sources unlicensed stock photography for use in a marketing campaign. What is this an example of?
From the following options, select examples of poor password security measures:
On a night out, Kofi is approached by someone in a bar, who introduces himself as Stefan. Stefan explains that they met once at work a couple of months ago. Kofi isn’t sure if he remembers Stefan.
The conversation continues and they get on well. They talk about where they went to school. Stefan then asks Kofi about childhood pets: “We were a big dog household. Our first was called Shandy. How about yours?”
What is the best way for Kofi to respond?
Neema is transferring a large amount of files from a removable storage device to her desktop in the office. She chats to her colleagues as she waits for the transfer to complete and offers to do a tea and coffee round for her team.
What should she do before she gets up?
Which of the following options would be an acceptable usage of the internet at work?
From the following options, which one is the acceptable use of email at work?
What should you do if you think your computer is infected with a virus?
Esther needs to send some urgent confidential client information to a colleague. However, she is in a hurry and still has several tasks to do before the end of the day.
What should Esther do?
Lily and Esteban are working on a project together. Esteban receives an invoice from the client and sends it over to Lily to look over. When Lily checks the email, she notices that Esteban has accidentally copied a different client into the email.
What should Lily do?
The correct answers are 2, 3 and 4.
Information security is about protecting an organisation from the loss of:
The correct answer is 2.
Sourcing unlicensed stock photography for use in a marketing campaign would breach copyright because, as the images are protected, they cannot be reproduced for a different purpose without permission from the original copyright holder.
The correct answers are 4 and 5.
Using a password manager and applying two-factor authentication are examples of good password security measures.
The correct answer is 1.
This scenario shows signs of Stefan applying social engineering techniques (asking particular questions of a personal nature) in a possible attempt to guess Kofi's password.
You should be wary of divulging personal information to anyone.
The correct answers are 2, 3 and 4.
Never leave your desk with your computer unlocked or leave a USB stick in the USB drive unattended. Removeable media should be kept in a secure place when not in use. Don't ask other colleagues to use your computer, especially when sensitive information may be involved.
The correct answers are 3, 4 and 6.
It's acceptable to access the internet at work for circumstances that will help you to do your job more efficiently and effectively. Remember to familiarise yourself with your company's 'acceptable use policy' to understand your internet usage responsibilities.
The correct answer is 1.
Using work emails during breaks or before and after work are okay as long as they do not incur additional cost to the organisation, though some companies operate a zero personal usage policy. You should not subscribe to email mailing lists for private use or use your work email as contact information for private events.
Remember, work emails are usually saved centrally and, since a message cannot be deleted from the central servers, if breaches of policies occur it will be available as evidence.
The correct answer is 1.
You should stop working and follow your company's incident reporting procedure for viruses, which may include reaching out to your manager and/or IT department.
The correct answer is 1.
Personal equipment may not be protected to the same extent as University equipment - you should avoid storing University information on your personal devices and avoid connecting personal devices to University devices. You should also never leave confidential information out in the open.
The correct answer is 4.
Lily should report the information security incident as soon as she's aware of it. The University's 'incident reporting policy' should tell you how to report such incidents.