Choose a strong password & take care of it

• Don’t give or email your password to anyone. Please note IT Helpdesk would never ask for your password by email. See the Phishing and email / telephone scams section for further information.
• If there is a chance that anyone else has become aware of your password then make sure you change it immediately.  
• If you can’t remember your password then write down a number of hints that only you would understand, rather than the actual password. If you intend to access Cardiff Met IT Services from off campus.
• Avoid obvious or common passwords. Choose a password with a minimum of 8 characters (the longer the better) and use a mixture of alphanumeric and special characters. Do not use the same password anywhere else, at home or at work. If required, store passwords in a sealed envelope in a secure location or consider password management software such as LastPass.
• Don’t access the services from publicly accessible computers, such as those in internet cafes or hotels.
• Avoid using insecure Wi-Fi networks for access.
• Remember cloud services may transmit your security credentials automatically even if you don't access them. Anyone listening on an insecure Wi-Fi network may potentially record these and use them to access your files.
• Don't leave your system unattended whilst it is logged on to a Cardiff Met IT service.
• Ensure you set a passcode on your mobile device. This is particularly important if your personal information or emails are accessible on your device.
  

What if I intend to access Cardiff Met IT Services from my own computer?

• Install security software: anti-virus, anti-spyware and a firewall or a security suite that includes all three.
• Keep your computer operating system and applications up to date and use an up to date web browser. 
• Protect yourself against eavesdroppers and freeloaders by using encryption on your home wireless network.
  

What other measures do I need to take if I am giving personal data to an external organisation?

• If you are transferring such data to an external organisation then you must ensure that they will only retain and use the data for the purpose that it was supplied to them and that they won't pass it on to any third parties without Cardiff Met's specific permission.
• If the organisation is authorised to store the data permanently or for a long period of time then please contact IT Helpdesk and ISD will contact the organisation to ensure that it is securely stored.  
  

What other measures should I take to safeguard privacy?

• Lock your workstation if you are likely to be away from the computer for some time.
• Ensure any printouts containing sensitive information are stored securely and shredded when no longer required.
  

Advice for Cardiff Met staff

Regardless of any mechanism employed to secure data offsite, the most effective means of achieving this will always be to not take any confidential data or documents off site. 

Cardiff Met has invested a lot of resources in SharePoint as the primary means of making data and documents available securely to staff and students anywhere that there is an internet connection.

This should always be your first priority. SharePoint offers the user a secure window onto data that remains stored within Cardiff Met's systems. SharePoint will also permit the user to download documents and data onto their local device, again, this should be avoided except where absolutely necessary.

Although Cardiff Met's IT systems are secured to the latest standards, this provides no protection when data is copied from this environment and taken off campus. It's therefore vital that if you absolutely must transport or transmit sensitive data off campus that it is properly secured and encrypted.

If you are a Cardiff Met member of staff, you are responsible for taking adequate security precautions when you take data away from the Cardiff Met network. If you are transferring data onto a personal machine, then you are also responsible for ensuring that this computer is secure.

Cardiff Met can receive a fine of up to £500,000 for inappropriate release of personal data.

Advice for Cardiff Met Students

You should protect any files you create that contain sensitive data. In addition, you may consider password protecting any important work. You should also ensure that any personal computers you use are secure. Please see the advice below for protecting any portable data.

Securing data on your laptop, home desktop, or any computer device used away from campus

If you use technology to access Cardiff Met data, documents, or information that is sensitive or confidential, it is important that you do not allow anyone else to use that technology along with your student or staff credentials. You must log out of your Cardiff Met account on the device before leaving equipment unattended in a shared environment. This must include your family and other people in your household. 

You may utilise local document synchronisation facilities, such as OneDrive Sync, to store copies of your study or work documents on your own devices, but it is vital that no one else use the device while you are logged into your Cardiff Met account, and where possible: 

• use a separate device account to logon when not working on Cardiff Met data or systems, in order to restrict access to Cardiff Met data. 
• use device encryption capabilities to secure work documents synced or downloaded to the device such as Bitlocker for Windows desktops or for Apple Macs running OSX, use FileVault for data encryption. 

You should also ensure your device operating system (Windows, OSX, etc.) and applications are kept up to date with the latest security and functionality updates, and that you maintain anti-virus protection.

Protecting portable data

Any commercially or personally sensitive data stored away from Cardiff Met's server systems should be encrypted to reduce the risk of this data being compromised if your device were to be lost or stolen. This includes transporting or transmitting data via:

• Email
• Laptop
• Pen drive (USB stick)
• Writeable CD / DVD
• Portable hard drive
• Any other portable storage or transmission mechanism
  

In addition to encryption, it is vital that any important data is backed up. Please contact IT Helpdesk for advice on backing up your data.

Sending data via email

The most straightforward way to encrypt data for transmission of most documents via email is to put a password on a Microsoft Office file. Password protected files in Office 2007 or later are securely encrypted. The password to the file should be provided separately to the encrypted email (perhaps by telephone). Please see the following guidance on how to encrypt / password protect an office document.

Securing a Pen Drive (USB memory stick)

If you store sensitive data on a memory stick then it should be encrypted to prevent unauthorised access should you lose it. Modern operating systems such as Windows 7 and later have the option of using "BitLocker To Go". Likewise Apple OSX Lion and later provide the ability to encrypt a USB drive via the Disk Utility. Note that BitLocker encryption cannot be accessed by Apple OSX. Likewise OSX Disk Utility encryption cannot be accessed by Microsoft Windows.

A further option for securing data is 7-zip. It is a free compression utility that will also encrypt files. The encrypting files with 7-Zip guidance details its use on Windows PCs and there are also unofficial versions of 7-zip for OSX such as Keka (this should allow for the transfer of 7-zip files between Windows & Apple OSX based computers).

Securing a writeable CD / DVD

If documents are stored on a CD then these can be password protected. Please see advice on how to password protect an Office document. If you wish to store other types of data, then an encrypted USB memory stick may be a better choice.

Securing data on a portable hard drive

Data on a portable hard drive can also be encrypted using the methods detailed above. 

What is Phishing?

Phishing is a process used by individuals to acquire sensitive information (credit card details, usernames or passwords) or instigate some other action on your computer.  One increasing threat is Ransomware.  This usually starts with an email that has an attachment which, when opened, runs a piece of malware that encrypts all of your data, and will not unencrypt until a ransom is paid.

The email may be disguised to look like it comes from a trustworthy organisation or may even appear to come from a known contact.  Communications claiming to be from your place of employment or study, banks, popular social websites and auction sites are commonly used to trick you into divulging security information.  You may also be told that you are to inherit great sums of money.  This will usually be followed up by getting you to provide bank account details.  The general rule that if it sounds too good to be true, then it probably is.

Phishing is usually carried out by email or instant messaging and often directs users to enter details at a fake website which looks almost identical to the real one, however some phishing scams are able to create pop-ups that appear whilst you are using a banking site.

Phishing telephone calls are also becoming increasingly common.  IT Helpdesk or any legitimate provider you deal with may contact you from time to time, but you should not be asked to send any security information.

Don't trust links contained in emails.  A link can easily be made to look like it leads to a known location when it leads somewhere else. You can often check the URL (web address) of a link in an email or web browser by hovering your mouse over it e.g. www.cardiffmet.ac.uk or www.bbc.co.uk.

If you think a message is genuine and decide to open a link, then check the URL to see if it matches what you would expect - e.g. amazonn.co.uk could fool someone at first glance. Ideally, type the address manually.

Some useful sites for further information on phishing:

• A short video on phishing attacks can be found at the BBC website
• Examples of phishing attacks

More details on the email service along with guidance on handling SPAM can be found here.

Cloud-based services like Dropbox, iCloud, SkyDrive, Cloud Drive, SugarSync and Google Drive are becoming increasingly popular. They provide an easy to use means of accessing files, across multiple devices, from any location.  

Any use of such services does, however, mean that you are entrusting the provider to keep the data safe and secure from threats. Whilst, this may be acceptable in a personal context, there are numerous risks that must be considered in respect of corporate or research data. 

This section identifies the risks of using such services and provides guidance on the actions that should be used to mitigate these.

Risks of using Cloud Based Services

Potential Breach of Data Protection Act - The Data Protection Act defines UK law in respect of processing personal data (what is personal data?). All staff members are responsible for abiding by the Act and transferring or storing data on a cloud system does not absolve you of responsibility. 

As the owner of the data, you will be responsible for its Data Protection and ensuring that it is processed and stored in compliance with the act.

Geographical spread - Contracting, for cloud services, with a UK based supplier is no guarantee that the data will be housed in the UK. They may subcontract with an overseas firm to carry out the data storage or for data centre facilities. Storage outside of the EEA brings additional implications in respect of the Data Protection Act. 

Unless there is a clear contractual obligation, from the supplier, to only store the data in the EEA, then you need to assume it may be stored elsewhere.

Loss or Disclosure of Valuable Data - Cloud supplier’s terms generally only offer very limited liability against data loss, disclosure or corruption. The risks include deletion due to non-payment of bills, service failure, contractual issue, service failure, supplier going out of business, acquisition, supplier hacked and interception in transit.

Remember that ex-staff may still have access to cloud services even after their resignation or termination and could still continue accessing or modifying the data. 

You should also consider the value of the data before sending it to a cloud service. Does it have high commercial value or could there be potential issues with intellectual property rights?

The FBI - The Patriot Act and other US legislation dictates that the FBI and other US Government agencies will be able to obtain access to your data if it is stored with a US company or is housed in a US owned Data Centre even if this is based in the EU. 

Should research data be stored somewhere that makes it accessible to US Government agencies?

Service Quality - There is a risk of failure or inadequate performance of every IT service. Generally such problems can be addressed by the organisation and its software and hardware suppliers.

In respect of cloud based systems there may also be a reliance on aspects that neither party has any control over i.e. the Internet. It may therefore, be very difficult to troubleshoot service quality issues.

The Unknown - Cloud services are still fairly immature and the security and access technology is still developing. They are also more likely to be attacked as hackers prefer to attack systems that have numerous clients and vast amounts of data than resources managed in-house by single companies. 

With local services, it is usually possible to take fast and robust action to manage any threats that occur however with cloud services you are reliant on the commercial cloud provider and internet providers.  Their actions are likely to be for commercial reasons or for the greater good of all. These may be to the determent of individual organisations.

Guidance for Secure Use of Cloud-Based Services

Contract / Terms and Conditions - In addition to addressing any risks identified on this page, you must ensure the contract or terms and conditions provide contractual clauses that cover all of your requirements.

One of the most important contractual requirements is that you have a clear transition out plan that ensures the continued availability and security of your data.

Safe Usage - You need to be aware of the service you are using. Unless you are happy for the files to be potentially disclosed to the public or lost then you should ask questions such as:

• Are files encrypted when they stored on the service?
• Are the files stored on my smartphone or device encrypted or password protected?
• What security measures and practices does the cloud provider employ?  

Backup - Unless you can afford to lose the data you are storing on the cloud service then you should ensure it is regularly and securely backed up.  Providers such as Dropbox make it clear, in their terms, that you are responsible for maintaining and protecting all of your stuff. 

Summary of Recommended Actions

• DO NOT store any personal or confidential corporate information on non-Cardiff Met external storage systems and services.
• DO consider the risks carefully before storing any other data or documents on non Cardiff Met storage. It is accepted that many work documents would not constitute a risk to persons or corporate sensitivities if lost, stolen or otherwise disclosed. As such staff members are expected to perform an assessment of the risks identified in this document.  
• You should ensure that measures are taken to mitigate any risks. If necessary then consult with IT Helpdesk for advice on technical aspects and IT Security.
  

Information on computer-related legislation is available at https://www.jisc.ac.uk/guides/networking-computers-and-the-law/laws.

HEI’s, by their very nature, need to remain current in technology. This, in turn, creates a rate of obsolescence in IT equipment. The disposal of obsolete or failed IT equipment needs to be properly controlled and in line with Cardiff Met's Disposal Procedure and Sustainability Policy.

Links for Cardiff Met Staff (only)

IT section on the policy hub

The disposal of electronic equipment frequently entails the disposal of electronic media that may contain data that is potentially confidential or of commercial value. This document outlines guidance and procedures associated with disposal of IT equipment and the data held upon it, within Cardiff Met.

Recent global initiatives have highlighted the need for stricter control on the disposal of certain materials. In the UK there is a range of waste-management laws which might affect businesses disposing of old equipment. Among them are:

• The duty of care (responsibility) for waste, which applies to all businesses.
• The requirements of the Waste Electrical and Electronic Equipment (WEEE) Directive came into force in January 2007. It aims to reduce waste arising from electrical and electronic equipment and its environmental impact.

There are 3 main issues that give rise to the need for managing the disposal of IT equipment:

• Data Protection – Certain IT equipment will contain data that is confidential and it is important to ensure that such data is properly destroyed prior to disposal. However, it can be difficult to ensure total and irrevocable destruction of data with certain equipment.
  
• Disposal of Assets – Control is necessary to maintain asset registers, financial accounting and security.
• Protection of the Environment – Some IT equipment is made of material that can be recycled. In addition, certain items may contain chemicals that are hazardous to the environment.

Only when no other use can be found, and no acceptable residual value for the equipment remains, can equipment be disposed of through either recycling or given away e.g. charity, staff for home use etc. or lastly waste disposal, (subject to meeting Data Protection requirements outlined in section 3.2).

All reasonable efforts should be made to identify other departments or staff that may be able to re-use equipment deemed for disposal. 

Disposal of data

All University data and any software licensed to the University must be removed and/or destroyed prior to the equipment leaving the possession of the University (or its staff, where use of equipment has been made outside of Cardiff Met's estate, e.g. laptop computers used at home).  

Removable electronic storage media such as pen drives, CD's, and portable hard drives should not be passed on with equipment, but instead, should be retained by the department or erased and disposed of by secure means.

Responsibility for removal of software and data rests with the department that owns the equipment and must not be delegated to any person outside the University without strict contractual obligations being imposed. Such undertakings should only be achieved with the knowledge and support of the Head of ISD.

The effort taken to dispose of data held on equipment should be proportionate to the value and/or confidentiality of the data, and if in doubt, assume the worst.

Disposal of Assets

Prior to disposal of IT equipment, authority must be gained from the budget-holder responsible for the equipment. A record of the disposal should be kept by the Head of School/Unit noting the destination and residual value of the item being disposed of.  ISD may assist in advising of the residual value of IT equipment. Disposal records should be submitted to the Finance Department upon request.

Protection of the Environment

Some IT equipment is classified as hazardous to health or the environment. The advice of ISD should be sought if in any doubt. Types of hazardous equipment include, but is not limited to:

• VDU's/Monitors – may contain substances hazardous to the environment.
• Battery Back-up units/UPS's – may contain lead and acid.

Any equipment reasonably capable of being recycled should be recycled.  

Responsibilities

All Schools and Units are responsible for:

• Ensuring the safe and secure disposal of the IT equipment owned by them
• Ensuring the application of the procedures

Cardiff Met's ISD Unit is responsible for:

• Disposal of all centrally owned IT equipment such as Open Access equipment and centrally purchased servers
• Advising on which equipment may be considered hazardous
• Assisting with wiping/clearing media and equipment containing potentially sensitive data prior to disposal
• Ensuring the application of these procedures
• Reviewing and advising on these procedures

IT security developments.