Cybersecurity

Cybersecurity Policies

• Stats Department Information Security Policy (Nov 2024)

• University Information Security Policy (May 2024)

Information Security and Data Protection training course

The aim of the Information Security and Data Protection training course is to ensure staff and students understand their responsibilities in relation to information security and privacy compliance legislation.

• Information on how to complete the University’s mandatory Information Security and Data Protection training course

Guidelines for data security and confidentiality

The use of mobile devices increases the risk that information which is intended to be private will become public. Exposing data can have serious consequences for the people concerned and for the University’s reputation.

See also the IT Services travel guide pages:

• Overseas travel guide: Keeping your data and devices secure

• IT Travel Guidance (requires SSO sign-in)

What sort of data?

Not all data is sensitive or confidential.

Personal data

Identifies a living individual, either on its own or with other data such email address, home address, photo.

Sensitive personal data

Includes racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sex life, criminal offences and proceedings.

Below are some guidelines on data categories, which may help you decide whether the data needs special care.

Open data

Information intended for the public domain or that carries no risk. All information is assumed to be open unless otherwise specified.

Restricted data

Information intended for a defined audience but not particularly sensitive.

Examples:

• Committee minutes (except Council and Senate)

• Draft discussion papers

• Intranet websites

• Most internal documents

Confidential data

1. Information likely to cause significant harm to the University’s reputation, assets or ability to meet its legal and contractual obligations if revealed outside the intended audience.

2. Obligation to treat as confidential by law or contract.

3. Information that carries a high confidentiality risk.

Examples:

1. Student recruitment information

2. Admissions information

3. Legally privileged documents

4. Senior Management and Strategic discussion papers

5. Live examination papers

6. Contracts, commercial data

7. Unpublished research

8. University budget/ TRAC data

9. Personal details

10. Salary and payroll data

11. Patient identifiable data

12. Credit / payment card details

If you believe that you will be using restricted or confidential data outside the department, then please read on.

Minimising the risk of exposing data in the event of theft or loss

This page describes the technical and behaviour changes you should make to minimise the risk of sensitive or confidential data being made public in the event of your mobile device being lost or stolen.

Technical Changes

Laptops

• Disk encryption will keep data secure in case of theft. In order to comply with the University’s Security Policy, all laptops bought through the department will be encrypted.

• Passwords. All accounts should have hard-to-guess passwords and should not be automatically logged on. There is advice about creating hard to guess passwords here.

• Consider using a Password Manager or Password Vault. There is an interesting blog post on Password Managers from the National Cyber Security Centre here.

• Manage your laptop.

  • Install anti-virus software and check it is regularly updated.

  • Make sure all software is up-to-date, including Windows Update (Windows) or Software Update (Mac) and other frequently used applications (Firefox, Adobe, Google Chrome). Most applications can be set to update automatically. We can provide a checking service if you want to make sure your laptop is up-to-date.

  • Take regular backups. There is helpful advice from the Get Safe Online site.

USB Sticks

USB sticks are very often lost and so are an extremely risky way of storing confidential or sensitive data. Encryption is the only safe option. We can recommend secure USB devices and may be able to help with setting them up.

Tablets and Smart Phones

• Set up a pin or passcode. The stronger the password the more secure the device. Configure the device so that data will be erased if there are multiple failed attempts to unlock.

• Use Track and Wipe if it is available and if you believe you may have confidential or sensitive data on your device.

Behaviour Changes

Browsing

• Don’t save passwords (ever) as this would allow access to private information. Some browsers (such as Firefox, but NOT Google Chrome), can be given a master password which makes saved passwords slightly more secure. This article in the Guardian describes the problem.

• Clear browser history regularly.

Email

• Do not send unencrypted email which contains sensitive or confidential information.

• See the University’s Stay safe on email advice on sending secure email. The Stats IT team may also be able to help set up your email to send messages securely.

• How do I know if the information is sensitive or confidential? Please see the University’s Understanding data protection page for more information.

• As a general rule, don’t put anything in an email that you wouldn’t want to make public, particularly if you are using email outside the University network.

Out and About

• Always leave your device locked.

• Take care to keep your device in a safe place and never leave it unlocked when not in use.

Recognising Insecure Wi-Fi

Be wary of open networks. Get Safe Online provide useful advice about using wireless networks.

In summary, unless you have entered a key then it is very unlikely that a public Wi-Fi is secure.

If you will need to access confidential or sensitive data then connect to our VPN.

How can I find out more?

Further advice from the University

The University IT Services Information Security team (InfoSec) have provide a lot of very useful information and are adding more. The links below point to pages we believe to be particularly useful. They also run courses which you are encouraged to attend.

Email

The risks and confidentiality of email are listed on the University Information Security Policy and implementation guidance page. Remember that email was not intended to be a secure way of sharing information. Generally, you should consider sending email to be like sending a postcard. If you would like help securing your email, please mail ithelp@stats.ox.ac.uk.

Mobile devices

• General guidelines for using mobile devices and advice for keeping data safe.

• Using public computers and open networks: Stay safe on the move’

Other sources of information

More technical advice can be found on the Information Commissioner’s Office.