Welcome to the security page
The objectives of IT Security at CardiffMet are to maintain the availability of IT services, to safeguard the confidentiality and integrity of information resources and to ensure that computer usage complies with relevant legislation.
An important part of this is related to the measures put in place by Library and Information Services to protect information resources. Many of these occur in the background so you may not be aware that they are happening.
Ultimately, however, all members of staff and students are responsible for IT Security. Please refer to the
Electronic Communications Policy for further information on your responsibilities.
The most important thing is that if you are unsure about any actions you have taken or are about to take and whether these could have any IT security implications then please check with the IT Helpdesk.
In addition, if you are aware of any IT Security related incidents and would like to report these in person or anonymously then you may do so by emailing itsecurity@CardiffMet.ac.uk
Regardless of any mechanism employed to secure data offsite, the most effective means of achieving this will always be to not take any confidential data or documents off site.
Cardiff Met has invested a lot of resources in SharePoint as the primary means of making data and documents available securely to staff and students anywhere that there is an internet connection.
This should always be your first priority. SharePoint offers the user a secure window onto data that remains stored within Cardiff Met's systems. SharePoint will also permit the user to download documents and data onto their local device, again, this should be avoided except where absolutely necessary.
Although Cardiff Met's IT systems are secured to the latest standards, this provides no protection when data is copied from this environment and taken off campus. It's therefore vital that if you absolutely must transport or transmit sensitive data off campus that it is properly secured and encrypted.
If you are a Cardiff Met member of staff, you are responsible for taking adequate security precautions when you take data away from the Cardiff Met network. If you are transferring data onto a personal machine, then you are also responsible for ensuring that this computer is secure.
Cardiff Met can receive a fine of up to £500,000 for inappropriate release of personal data.
You should protect any files you create that contain sensitive data. In addition, you may consider password protecting any important work. You should also ensure that any personal computers you use are secure. Please see the advice below for protecting any portable data.
Any commercially or personally sensitive data stored away from Cardiff Met's server systems should be encrypted to reduce the risk of this data being compromised if your device were to be lost or stolen. This includes transporting or transmitting data via:
In addition to encryption, it is vital that any important data is backed up. Please contact IT Helpdesk for advice on backing up your data.
The most straightforward way to encrypt data for transmission of most documents via email is to put a password on a Microsoft Office file. Password protected files in Office 2007 or later are securely encrypted. The password to the file should be provided separately to the encrypted email (perhaps by telephone). Please see the following guidance on how to encrypt / password protect an office document.
If you have a Cardiff Met laptop that you use to take sensitive data off campus, then please contact the helpdesk for advice on having it configured securely.
If you store sensitive data on a memory stick then it should be encrypted to prevent unauthorised access should you lose it.
Modern operating systems such as Windows 7 and later have the option of
using "BitLocker To Go". Likewise Apple OSX Lion and later provide the ability to encrypt a USB drive via the Disk Utility.
Note that BitLocker encryption cannot be accessed by Apple OSX. Likewise OSX Disk Utility encryption cannot be accessed by Microsoft Windows.A further option for securing data is 7-zip. It is a free compression utility that will also encrypt files. The encrypting files with 7-Zip guidance details its use on Windows PCs and there are also unofficial versions of 7-zip for OSX such as Keka (this should allow for the transfer of 7-zip files between Windows & Apple OSX based computers).
If documents are stored on a CD then these can be password protected. Please see advice on how to
password protect an Office document. If you wish to store other types of data, then an encrypted USB memory stick may be a better choice.
Data on a portable hard drive can also be encrypted using the methods detailed above.
Phishing is a process used by individuals to acquire sensitive information (credit card details, usernames or passwords) or instigate some other action on your computer. One increasing threat is
Ransomware. This usually starts with an email that has an attachment which, when opened, runs a piece of malware that encrypts all of your data, and will not unencrypt until a ransom is paid.
The email may be disguised to look like it comes from a trustworthy organisation or may even appear to come from a known contact. Communications claiming to be from your place of employment or study, banks, popular social websites and auction sites are commonly used to trick you into divulging security information. You may also be told that you are to inherit great sums of money. This will usually be followed up by getting you to provide bank account details. The general rule that if it sounds too good to be true, then it probably is.
Phishing is usually carried out by email or instant messaging and often directs users to enter details at a fake website which looks almost identical to the real one, however some phishing scams are able to create pop-ups that appear whilst you are using a banking site.
Phishing telephone calls are also becoming increasingly common. IT Helpdesk or any legitimate provider you deal with may contact you from time to time, but you should not be asked to send any security information.
Don't trust links contained in emails. A link can easily be made to look like it leads to a known location when it leads somewhere else. You can often check the URL (web address) of a link in an email or web browser by hovering your mouse over it e.g.
If you think a message is genuine and decide to open a link, then check the URL to see if it matches what you would expect - e.g. amazonn.co.uk could fool someone at first glance. Ideally, type the address manually.
More details on the email service along with guidance on handling SPAM can be found
Cloud-based services like
Google Drive are becoming increasingly popular. They provide an easy to use means of accessing files, across multiple devices, from any location.
Any use of such services does, however, mean that you are entrusting the provider to keep the data safe and secure from threats. Whilst, this may be acceptable in a personal context, there are numerous risks that must be considered in respect of corporate or research data.
This section identifies the risks of using such services and provides guidance on the actions that should be used to mitigate these.
Potential Breach of Data Protection ActThe Data Protection Act defines UK law in respect of processing personal data (what is personal data?). All staff members are responsible for abiding by the Act and transferring or storing data on a cloud system does not absolve you of responsibility.
Potential Breach of Data Protection Act
The Data Protection Act defines UK law in respect of processing personal data (what is personal data?). All staff members are responsible for abiding by the Act and transferring or storing data on a cloud system does not absolve you of responsibility.
As the owner of the data, you will be responsible for its Data Protection and ensuring that it is processed and stored in compliance with the act.
Contracting, for cloud services, with a UK based supplier is no guarantee that the data will be housed in the UK. They may subcontract with an overseas firm to carry out the data storage or for data centre facilities. Storage outside of the EEA brings additional implications in respect of the Data Protection Act.
Unless there is a clear contractual obligation, from the supplier, to only store the data in the EEA, then you need to assume it may be stored elsewhere.
Loss or Disclosure of Valuable DataCloud supplier’s terms generally only offer very limited liability against data loss, disclosure or corruption. The risks include deletion due to non-payment of bills, service failure, contractual issue, service failure, supplier going out of business, acquisition, supplier hacked and interception in transit.
Remember that ex-staff may still have access to cloud services even after their resignation or termination and could still continue accessing or modifying the data. You should also consider the value of the data before sending it to a cloud service. Does it have high commercial value or could there be potential issues with intellectual property rights?The FBIThe Patriot Act and other US legislation dictates that the FBI and other US Government agencies will be able to obtain access to your data if it is stored with a US company or is housed in a US owned Data Centre even if this is based in the EU.
Should research data be stored somewhere that makes it accessible to US Government agencies?Service QualityThere is a risk of failure or inadequate performance of every IT service. Generally such problems can be addressed by the organisation and its software and hardware suppliers.
In respect of cloud based systems there may also be a reliance on aspects that neither party has any control over i.e. the Internet. It may therefore, be very difficult to troubleshoot service quality issues.The UnknownCloud services are still fairly immature and the security and access technology is still developing. They are also more likely to be attacked as hackers prefer to attack systems that have numerous clients and vast amounts of data than resources managed in-house by single companies.
With local services, it is usually possible to take fast and robust action to manage any threats that occur however with cloud services you are reliant on the commercial cloud provider and internet providers. Their actions are likely to be for commercial reasons or for the greater good of all. These may be to the determent of individual organisations.
Contract / Terms and Conditions In addition to addressing any risks identified on this page, you must ensure the contract or terms and conditions provide contractual clauses that cover all of your requirements.
One of the most important contractual requirements is that you have a clear transition out plan that ensures the continued availability and security of your data.Safe UsageYou need to be aware of the service you are using. Unless you are happy for the files to be potentially disclosed to the public or lost then you should ask questions such as:
Unless you can afford to lose the data you are storing on the cloud service then you should ensure it is regularly and securely backed up. Providers such as Dropbox make it clear, in their terms, that you are responsible for maintaining and protecting all of your stuff.
DO NOT store any personal or confidential corporate information on non-Cardiff Met external storage systems and services.
DO consider the risks carefully before storing any other data or documents on non Cardiff Met storage. It is accepted that many work documents would not constitute a risk to persons or corporate sensitivities if lost, stolen or otherwise disclosed. As such staff members are expected to perform an assessment of the risks identified in this document.
You should ensure that measures are taken to mitigate any risks. If necessary then consult with
IT Helpdesk for advice on technical aspects and IT Security.
Information on computer-related legislation is available at
The disposal of electronic equipment frequently entails the disposal of electronic media that may contain data that is potentially confidential or of commercial value.
This document outlines guidance and procedures associated with disposal of IT equipment and the data held upon it, within Cardiff Met.
Recent global initiatives have highlighted the need for stricter control on the disposal of certain materials.
In the UK there is a range of waste-management laws which might affect businesses disposing of old equipment. Among them are:
The duty of care (responsibility) for waste, which applies to all businesses.
Only when no other use can be found, and no acceptable residual value for the equipment remains, can equipment be disposed of through either recycling or given away e.g. charity, staff for home use etc. or lastly waste disposal, (subject to meeting Data Protection requirements outlined in section 3.2).
All reasonable efforts should be made to identify other departments or staff that may be able to re-use equipment deemed for disposal.
All University data and any software licensed to the University must be removed and/or destroyed prior to the equipment leaving the possession of the University (or its staff, where use of equipment has been made outside of UWIC's estate, e.g. laptop computers used at home).
Responsibility for removal of software and data rests with the department that owns the equipment and must not be delegated to any person outside the University without strict contractual obligations being imposed. Such undertakings should only be achieved with the knowledge and support of the Head of ISD.
The effort taken to dispose of data held on equipment should be proportionate to the value and/or confidentiality of the data, and if in doubt, assume the worst.
Prior to disposal of IT equipment, authority must be gained from the budget-holder responsible for the equipment.
A record of the disposal should be kept by the Head of School/Unit noting the destination and residual value of the item being disposed of. ISD may assist in advising of the residual value of IT equipment.
Disposal records should be submitted to the Finance Department upon request.
Some IT equipment is classified as hazardous to health or the environment. The advice of ISD should be sought if in any doubt. Types of hazardous equipment include, but is not limited to:
VDU's/Monitors – may contain substances hazardous to the environment.
Battery Back-up units/UPS's – may contain lead and acid.
Any equipment reasonably capable of being recycled should be recycled.
All Schools and Units are responsible for:
Ensuring the safe and secure disposal of the IT equipment owned by them
Ensuring the application of the procedures
Cardiff Met's ISD Unit is responsible for:
Disposal of all centrally owned IT equipment such as Open Access equipment and centrally purchased servers
Advising on which equipment may be considered hazardous
Assisting with wiping/clearing media and equipment containing potentially sensitive data prior to disposal
Ensuring the application of these procedures
Reveiwing and advising on these procedures
Cardiff Metropolitan University, Llandaff Campus, Western Avenue, Cardiff, CF5 2YB
Copyright © Cardiff Metropolitan University Disclaimer
| Privacy Statement
Registered Charity: 1140762