Version number: | 2024 |
Policy owner: | The University of Chichester |
Effective date: | 07/08/2024 - reviewed (at least) annually. |
Electronic Information Security Policy
Policy Statement
Electronic information is acquired and created all the time and is increasingly essential to all aspects of the functions of the University. Anyone who uses the University's services may have various levels of access to information relating to other people. This information must be carefully protected in accordance with (for example) UK Data Protection legislation.
The security of this information relies on technical protections, but also on how people use and operate devices and services that can access University information.
The University requires, therefore, that all users of University IT facilities must be aware of, and must apply this Policy to minimise the potential risks from accidental data loss/exposure, and to help in resisting the methods used by cyber-criminals.
In order to use University services, you are expected to fully comply with this Policy at all times.
The purpose of this policy is:
- to minimise the risks to the University arising from loss or exposure of information;
- to raise awareness of the potential risks involved and how technical configuration alone cannot entirely prevent data loss, or ensure compliance with the policy;
- to identify legal and contractual requirements and University policies that mean there are some practices that must be avoided;
- to provide all users of University IT Services with the following framework of actions, supplemented by more general guidance noted;
- to ensure consistency in the way IT facilities provided are used to minimise nugatory costs and maximise the security of information.
Electronic Information Security Policy
The Electronic Information Security Policy consists of the succinct code of conduct set out below and is supported by the further advice and guidance set out in these help pages. The Electronic Information Security Policy applies to all usage of IT facilities provided by or made available by the University. This includes University IT equipment and services, but also covers any device (including personal devices) that uses the University’s WiFi or connects to any other University IT asset or service.
All ‘users’ (students, staff and visitors) of University’s IT systems and services must comply with the Electronic Information Security Policy. Failure to do so may result in access being withdrawn, and in serious cases, referral to the applicable disciplinary policies.
You must;
- Use University IT systems and services for University business and in accordance with all University policies.
- Ensure that your use of University IT devices, systems and services is appropriate, minimising risks to privacy and is in accordance with the University policies and objectives.
- Abide by all ‘terms of service’ and the conditions of contracts and licencing for software that is used in relation to the University.
- When using a personal device to access University IT services, ensure the device, and your use of the device complies with the advice set out in the Personal Devices guidance [Link]
- Maintain a clear screen, clear desk approach - storing data not on 'the desktop' but in suitable network storage, and paper information in secure cabinets
- Store information in the most suitable (lowest risk) facility, for example in a University case management system or network folder.
- Inform the University’s Data Protection Officer immediately if you become aware of a loss of your or anyone else's personal data.
- Inform the University’s Data Protection Officer immediately if you become aware of any issue that may endanger the University’s full compliance with UK Data Protection legislation.
- Inform the University's Support and Information Zone (SIZ) immediately, if you believe there has been a loss of a device (e.g., a laptop or mobile phone) that may contain University information.
- Physically secure (lock away) all equipment containing (or with facility to access) private [1] and confidential [1] information when not being used.
- Advise SIZ of any leaving date, intermittence, or sabbatical to enable your access to services and information to be updated, and for you to return University owned IT.
- Report any misuse of IT systems or infringement of this Electronic Information Security Policy (through the SIZ)
You must not;
- Alter administrative device or systems settings, or otherwise jeopardise the integrity of computer equipment, software or information.
- Alter or install software onto University computing equipment [2] .
- Solicit, encourage or endorse use of, any non University or external computer system, until or unless this is approved by the University's IT Service
- Use any computer system or software in a new context without first having consulted IT and the DPO and established whether a Data Protection Impact Assessment (DPIA) is required.
- Take University IT equipment off-campus, without the appropriate authority to do so.
- Store University information in ad-hoc or general storage such as email accounts, non University personal cloud storage or removable media such USB Sticks.
- Use University IT systems or services for any non University activity [2] without appropriate authority from IT Services.
- Use your University identification or passwords with non University services.
- Use any University computing services to gain unauthorised access to any University or non-University information.
- Use any University computing services to gain unauthorised access to copyrighted, personal, private or confidential material [3].
- Acquire, store, share or distribute unauthorised [1] information.
- Use proxy-avoidance and anonymiser websites to access unauthorised and unsuitable websites [4].
- Use AI assistance, or applications that share your activity (especially where this shares data on research subjects, and individuals, Confidential or Private information) with Large Language Models)
- Create, download, store or transmit unlawful material, or material that is indecent, offensive, defamatory, threatening [5], discriminatory or extremist [6] .
- Share any documents or folders you have access to, particularly any that contain private [1] or confidential [1] information, other than as required for University business and with the proper authorisation.
- Transform any confidential information communicated with you (for example using a recording of a video conference or copying any email or instant messages) to any other media or facility.
[1] For definitions of Private, Confidential and Unauthorised information please see the Information & secure storage page on the IT Help Website
[2] This is because University equipment uses discounted HE software licencing, and commercial licences may be required.
[3] This particularly includes downloading copies of academic journals, films and music outside of their copyright requirements.
[4] Exceptions can be made for the collection and storage of sensitive materials for authorised research.
[5] This includes anything that might be considered as bullying, grooming, radicalisation, harassment or stalking
[6] The University observes the Prevent Duty of Care and reserves the right to block or monitor access to such material.
Ref Access Controls and Cryptographic Standards
The University's Electronic Information Security Policy (above) incorporates the sector policy set out below:
Summary of the Universities and Colleges Information Systems Associations' (UCISA) HE IT code
The following is a very brief summary of the main points of the regulations you're expected to be familiar with. The University specific Electronic Information Security Policy is available above, and this supports the regulations governing academic conduct available at https://www.chi.ac.uk/about-us/policies-and-statements/academic-quality-and-standards/ , and the University’s privacy standard, which is available at: https://www.chi.ac.uk/about-us/policies-and-statements/data-protection/
Summary IT Code
Governance:
Don't break the law
Do abide by the University's regulations and policies and to observe the regulations of any third parties whose fill facilities you access
Identity:
Don't allow anyone else to use your access credentials or your University devices, don't disguise your online identity and don't attempt to obtain or use anybody else’s.
Infrastructure:
Don't put the University's IT facilities at risk by introducing malware interfering with hardware or loading or unauthorised software.
Information:
Safeguard personal data respect other people's information and don't abuse copyright material remember that mobile devices may not be a secure way to handle information.
Keep devices you use safe from unauthorised use, work in safe places where you cannot be overlooked, and lock devices away when not in use
You should set a lock-on-leave function if possible. See Bluetooth and Camera based facilities that can enable this
Behaviour:
Don't waste IT resources, interfere with others legitimate use, or behave towards others in a way that would not be acceptable in the physical world.
The (full) HE IT code
The following is the regulations you are expected to be familiar with. The University's Electronic Information Security Policy is available above, and this enshrine the regulations governing academic conduct available at https://www.chi.ac.uk/about-us/policies-and-statements/academic-quality-and-standards/ , and the University’s privacy standard, which is available at: https://www.chi.ac.uk/about-us/policies-and-statements/data-protection/
The aim of these regulations is to help ensure that the University’s IT facilities can be used safely lawfully and equitably. The issues covered by these regulations are complex and you are strongly urged to read the accompanying guidance available at https://help.chi.ac.uk
1: Scope
These regulations apply to anyone using the facilities (hardware software data network access third party services online services or IT credentials) provided or arranged by the University.
2: Governance
When using IT, you remain subject to the same laws and regulations as in the physical world.
It is expected that your conduct is lawful. Furthermore, ignorance of the law is not considered to be an adequate defence for unlawful conduct.
When accessing services from another jurisdiction, you must abide by all relevant local laws, as well as those applicable to the location of the service.
You are bound by the University's general regulations when using the facilities available
You must abide by the regulations applicable to any other organisation whose services you access
When using services via Eduroam you are subject to both regulations of the University and the institution where you are accessing the services.
Some software licences procured by the University will set out additional, or specific obligations for the user.
Breach of any applicable law or third party regulation will be regarded as breach of these IT regulations
3: Authority
These regulations are issued under the authority of the Director of Information and Learning Technologies who is also responsible for their interpretation and enforcement and who may also delegate such authority to other people
You must not use the IT facilities without the permission of IT Services
You must comply with any reasonable written or verbal instructions issued by people with delegated authority in support of these regulations. If you feel that any such instructions are unreasonable or are not in support of these regulations, you may make an appeal through the SIZ.
4: Intended use
The IT facilities are provided for use in furtherance of the mission of the University, for example to spot a course of study, research or in connection with your employment by the University.
Use of these facilities for personal activities (provided that it does not infringe any of the regulations and does not interfere with others’ valid use) is permitted, but this is a privilege that may be withdrawn at any point.
Use of these IT facilities for non University commercial purposes or for personal gain requires explicit approval of the Director of Information and Learning Technologies.
Use of certain licences is only permitted for academic use and where applicable to the code of conduct published by the combined higher education software team (CHEST) who are a part of UCISA (Universities and Colleges Information Systems Association).
5: Identity
You must take all reasonable precautions to safeguard any IT credentials (for example a username and password, e-mail address, door/campus/ID/Printing smartcard card or other identity hardware issued to you.
You must not allow anyone else to use your IT credentials
Nobody has the authority to ask you for your password and you must not disclose it to anyone.
You must not attempt to obtain or use anyone else’s credentials
You must not impersonate someone else or otherwise disguise your identity when using the IT facilities.
6: Infrastructure
You must not do anything to jeopardise the integrity of the IT infrastructure by, for example, doing any of the following without approval;
- Damaging reconfiguring or moving equipment.
- Loading software on University equipment other than in approved circumstances.
- Reconfiguring or connecting equipment to the network other than by approved methods.
- Accessing University information or services, with personal devices that do not have security, to the standards set out by IT Services
- Setting up servers or services on the network
- Deliberately or recklessly introducing malware
- Attempting to disrupt or circumvent IT security measures
7: Information
If you handle personal confidential or sensitive information you must take all reasonable steps to safeguard it and must observe the University's data protection information security policies and guidance available at https://help.chi.ac.uk, Particularly with regard to removable media, mobile and privately owned devices.
You must not infringe copyright or break the terms of licences for software or other material.
You must not attempt to access delete, modify or disclose information belonging to other people without their permission or explicit approval from the Director of Information and Learning Technologies.
You must not create download store or transmit unlawful material or material that is indecent, offensive, threatening or discriminatory.
The University has procedures to approve and manage valid activities involving such material; where, for example, this is required for approved research.
You must abide by the University's publication and social media policies.
8: Behaviour
Real world standards of behaviour apply online and on social networking platforms such as Facebook, Instagram and Twitter (X).
You must not cause needless offence concerns or annoyance to others.
You should also adhere to the University's guidelines on social media.
You must not send spam (unsolicited bulk e-mail)
You must not deliberately or recklessly consume excessive IT resources, such as processing power bandwidth or consumables.
You must not use the facilities in a way that interferes with others’ valid use of them
9: Monitoring
The University monitors and records the use of its IT facilities for the purposes of:
- The effective and efficient planning and operation of the IT facilities.
- Detection and prevention of infringement of these regulations
- Investigation of alleged misconduct
- Ensuring the Prevent duty of care
The University will comply with lawful requests for information from government and law enforcement agencies.
10: Infringement
Infringing these regulations may result in sanctions under the University’s disciplinary processes. Penalties may include withdrawal of services and offending material will be taken down
information about infringement may be passed to appropriate law enforcement agencies and any other organisations whose regulations you have breached.
The University reserves the right to recover from you any cost incurred as a result of your infringement.
You must inform SIZ if you become aware of any infringement of these regulations.
Document Owner: Director of Information and Learning Technologies
Most Recent Review Date: 07 Aug 2024 - Review by 06 Aug 2025
This document was been prepared using the following ISO27001:2022 standard controls as reference:
Reviewed: | Aug 2024 |