Regardless of any mechanism employed to secure data offsite, the most effective means of achieving this will always be to not take any confidential data or documents off site.  ​

​Cardiff Met has invested a lot of resources in SharePoint as the primary means of making data and documents available securely to staff and students anywhere that there is an internet connection.

This should always be your first priority. SharePoint offers the user a secure window onto data that remains stored within Cardiff Met's systems. SharePoint will also permit the user to download documents and data onto their local device, again, this should be avoided except where absolutely necessary.

Although Cardiff Met's IT systems are secured to the latest standards, this provides no protection when data is copied from this environment and taken off campus. It's therefore vital that if you absolutely must transport or transmit sensitive data off campus that it is properly secured and encrypted.

If you are a Cardiff Met member of staff, you are responsible for taking adequate security precautions when you take data away from the Cardiff Met network. If you are transferring data onto a personal machine, then you are also responsible for ensuring that this computer is secure.

​​Cardiff Met can receive a fine of up to £500,000 for inappropriate release of personal data.​

​

​Advice for Cardiff Met Students

You should protect any files you create that contain sensitive data. In addition, you may consider password protecting any important work. You should also ensure that any personal computers you use are secure. Please see the advice below for protecting any portable data.

​​

​​Protecting portable data

Any commercially or personally sensitive data stored away from Cardiff Met's server systems should be encrypted to reduce the risk of this data being compromised if your device were to be lost or stolen. This includes transporting or transmitting data via:

• Email
• Laptop
• Pen drive (USB stick)
• Writeable CD / DVD
• Portable hard drive
• Any other portable storage or transmission mechanism

In addition to encryption, it is vital that any important data is backed up. Please contact IT Helpdesk for advice on backing up your data.​

​Sending data via email

The most straightforward way to encrypt data for transmission of most documents via email is to put a password on a Microsoft Office file. Password protected files in Office 2007 or later are securely encrypted. The password to the file should be provided separately to the encrypted email (perhaps by telephone). Please see the following guidance on how to encrypt / password protect an office document.​

​Securing data on your laptop, home desktop, or any computer device used away from campus

​If you have a device that you use to access Cardiff Met systems or data, or take sensitive data off campus, then please consider using Bitlocker for Windows desktops.

For Apple Macs running OSX, please use FileVault for data encrytpion.

​

Securing a Pen Drive (USB memory stick)

If you store sensitive data on a memory stick then it should be encrypted to prevent unauthorised access should you lose it.

Modern operating systems such as Windows 7 and later have the option of using "BitLocker To Go". Likewise Apple OSX Lion and later provide the ability to encrypt a USB drive via the Disk Utility. 

Note that BitLocker encryption cannot be accessed by Apple OSX. Likewise OSX Disk Utility encryption cannot be accessed by Microsoft Windows.

A further option for securing data is 7-zip. It is a free compression utility that will also encrypt files. The encrypting files with 7-Zip guidance details its use on Windows PCs and there are also unofficial versions of 7-zip for OSX such as Keka (this should allow for the transfer of 7-zip files between Windows & Apple OSX based computers).​

​Securing a writeable CD / DVD

​If documents are stored on a CD then these can be password protected. Please see advice on how to password protect an Office document. If you wish to store other types of data, then an encrypted USB memory stick may be a better choice.​​

​​Securing data on a portable hard drive

Data on a portable hard drive can also be encrypted using the methods detailed above. ​​

Cloud-based services like Dropbox, iCloud, SkyDrive, Cloud Drive, SugarSync and Google Drive are becoming increasingly popular. They provide an easy to use means of accessing files, across multiple devices, from any location.

​​Any use of such services does, however, mean that you are entrusting the provider to keep the data safe and secure from threats. Whilst, this may be acceptable in a personal context, there are numerous risks that must be considered in respect of corporate or research data.​ 

This section identifies the risks of using such services and provides guidance on the actions that should be used to mitigate these.​

​​Risks of using Cloud Based Services

​​Potential Breach of Data Protection Act

The Data Protection Act defines UK law in respect of processing personal data (what is personal data?). All staff members are responsible for abiding by the Act and transferring or storing data on a cloud system does not absolve you of responsibility. 

As the owner of the data, you will be responsible for its Data Protection and ensuring that it is processed and stored in compliance with the act.

​​Geographical spread

​Contracting, for cloud services, with a UK based supplier is no guarantee that the data will be housed in the UK. They may subcontract with an overseas firm to carry out the data storage or for data centre facilities. Storage outside of the EEA brings additional implications in respect of the Data Protection Act. 

Unless there is a clear contractual obligation, from the supplier, to only store the data in the EEA, then you need to assume it may be stored elsewhere.

Loss or Disclosure of Valuable Data
Cloud supplier’s terms generally only offer very limited liability against data loss, disclosure or corruption. The risks include deletion due to non-payment of bills, service failure, contractual issue, service failure, supplier going out of business, acquisition, supplier hacked and interception in transit.

Remember that ex-staff may still have access to cloud services even after their resignation or termination and could still continue accessing or modifying the data. 
You should also consider the value of the data before sending it to a cloud service. Does it have high commercial value or could there be potential issues with intellectual property rights?

The FBI​
The Patriot Act and other US legislation dictates that the FBI and other US Government agencies will be able to obtain access to your data if it is stored with a US company or is housed in a US owned Data Centre even if this is based in the EU. 

Should research data be stored somewhere that makes it accessible to US Government agencies?

Service Quality
There is a risk of failure or inadequate performance of every IT service. Generally such problems can be addressed by the organisation and its software and hardware suppliers.

  
In respect of cloud based systems there may also be a reliance on aspects that neither party has any control over i.e. the Internet. It may therefore, be very difficult to troubleshoot service quality issues.

The Unknown
Cloud services are still fairly immature and the security and access technology is still developing. They are also more likely to be attacked as hackers prefer to attack systems that have numerous clients and vast amounts of data than resources managed in-house by single companies. 

With local services, it is usually possible to take fast and robust action to manage any threats that occur however with cloud services you are reliant on the commercial cloud provider and internet providers.  Their actions are likely to be for commercial reasons or for the greater good of all. These may be to the determent of individual organisations.

Guidance for Secure Use of Cloud-Based Services

Contract / Terms and Conditions  
​In addition to addressing any risks identified on this page, you must ensure the contract or terms and conditions provide contractual clauses that cover all of your requirements.

 
One of the most important contractual requirements is that you have a clear transition out plan that ensures the continued availability and security of your data.

Safe Usage
You need to be aware of the service you are using. Unless you are happy for the files to be potentially disclosed to the public or lost then you should ask questions such as:

• Are files encrypted when they stored on the service?
• Are the files stored on my smartphone or device encrypted or password protected?
• What security measures and practices does the cloud provider employ?  

​​Unless you can afford to lose the data you are storing on the cloud service then you should ensure it is regularly and securely backed up.  Providers such as Dropbox make it clear, in their terms, that you are responsible for maintaining and protecting all of your stuff. ​

Summary of Recommended Actions

• ​DO NOT store any personal or confidential corporate information on non-Cardiff Met external storage systems and services.

• DO consider the risks carefully before storing any other data or documents on non Cardiff Met storage. It is accepted that many work documents would not constitute a risk to persons or corporate sensitivities if lost, stolen or otherwise disclosed. As such staff members are expected to perform an assessment of the risks identified in this document.  

• ​You should ensure that measures are taken to mitigate any risks. If necessary then consult with IT Helpdesk for advice on technical aspects and IT Security.​

​Protection of the Environment

Some IT equipment is classified as hazardous to health or the environment. The advice of ISD should be sought if in any doubt. Types of hazardous equipment include, but is not limited to:

• VDU's/Monitors – may contain substances hazardous to the environment.
  

• ​Battery Back-up units/UPS's – may contain lead and acid.
  

Any equipment reasonably capable of being recycled should be recycled.