Best practice in brief
Confidential data stored in central filestores is on secure servers maintained in secure physical environments
- Confidential data should not be held on local disk storage (e.g. C:drive of a desktop machine)
- Confidential data should not be stored or accessed on mobile phones or tablets unless appropriate security measures are in place
Confidential data must be encrypted when:
- Stored on a laptop
- Stored on a memory stick or portable hard drive
- Stored or exchanged on other portable media such as CDs, DVDs
- Exchanged with external organisations or individuals
Data is stored on secure machines maintained in secure physical environments
The key business systems of the University are designed and managed with a high level of security in mind.
Access to these systems is managed so that only those who need specific information as part of their work can get access to it.
Such access is provided on an individual basis and must not be shared with others.
- The owners of data on central systems are responsible for defining and authorising which particular University groups (or individuals) get access to the data and what they are permitted to do with it.
- A risk assessment and measures to mitigate risk should be defined and enforced.
- Exporting data from these systems should be approved by data owners and the required risk assesment and mitigation measures are strictly adhered to.
Confidential data should not be held on local disk storage (e.g. C: drive of a desktop machine)
Confidential data should not be held on local disk storage (e.g C: drive, system drive, other local drive) on a desktop machine.
Confidential data should be held only on an appropriately managed fileserver. Relevant College and Central IT support will manage a system or configure a secure area for this purpose, as appropriate to the circumstances.
As desktop computers may be used to access confidential data via the network, they should be configured with a high level of system security.
This can be achieved with one of the following methods:
1) Install Standard Staff Desktop (SSD). Please contact local IT support for advice on how to obtain SSD.
2) Use a Desktop configured to security standards equivalent to that of SSD. Ensure the system is configured in accordance with all system security recommendations, including those relating to:
- Antivirus software
- Up-to-date operating system and application patch levels
Confidential data MUST NOT be stored unencrypted on a laptop.
Laptops carry a significant risk of being lost or stolen. Therefore, confidential data should only be stored on such devices if it is necessary to do so.
It is relatively easy to gain access to data held on computers even if passwords are used, unless encryption has been specifically set up to ensure that this is not possible. Therefore, if there is a requirement to store confidential data on a laptop, it must be appropriately encrypted. A suitably trained member of IT staff should install and configure University-approved full disk encryption software to protect the data.
Windows laptop running the University Standard Staff Desktop environment (SSD) have full disk encryption enabled automatically as part of the SSD build process. Contact your local IT support for advice on how to obtain SSD.
All other laptops need to be configured in accordance with University system security recommendations, including those relating to:
- Antivirus software
- Keeping the operating system and applications uptodate
- Full disk encryption
To this end, users should take University-owned laptops to their local IT support, and request that full disk encryption is enabled. Alternatively, contact IT Services for help and advice. IT Services provides information on how to configure full disk encryption for multiple platforms:
Where it is necessary to hold confidential data on laptops, it should be seen only as a working copy and be backed up or synchronised with a master copy on an appropriately managed fileserver. Relevant College or Central IT support can configure a shared secure area for this purpose and advise on appropriate procedures. Contact your local IT support.
Smartphones and tablets
Confidential data should not be stored on mobile devices unless necessary
Mobile devices carry a significant risk of being lost or stolen. Therefore, confidential data should only be sent, received or stored on such devices if it is necessary to do so.
The use of a strong password or PIN is essential to maintain privacy on such devices, but may not by itself provide sufficient levels of security.
Consider configuring remote wiping:
- Some vendors provide remote wiping as a service. Contact your supplier for details.
- NOTE: Devices which use 'Activesync' (iOS, Windows mobile, some Android) to connect to your University email can be remotely wiped using the web interface (at http://www.gla.ac.uk/it/webmail ).
Set a PIN to protect your device from unauthorised use!
Your smartphone and tablet are likely to contain a lot of confidential information about you, perhaps even your bank details.
Treat your smartphone like your wallet or purse.
Treat your tablet like your laptop.
There are many ways you can increase the security of your smartphone and tablet:
- Set a PIN and ensure that it is not guessable (not 0000, 1234 etc.) to protect your device from unauthorised use.
- Set a timeout to lock your device.
- Be careful which apps you install and what permissions you give them.
- If you use GPS location services, be aware of what information they share.
- Keep in mind the email security rules: these apply whatever device you're using.
- Backup the information on your device.
- Keep a copy of your IMEI number (if applicable) in case of loss or theft.
- At end of its life, dispose of your device securely.
Portable storage devices
Confidential data MUST NOT be stored unencrypted on a portable storage device such as a memory stick or portable hard drive
Such devices carry a high risk of being lost or stolen. Therefore, confidential data should only be stored on such devices if it is necessary to do so, in which case it must be encrypted.
Use one of the following methods:
1) Use secure storage devices with built-in encryption.
For memory sticks IT Services recommends a device certified to the CESG CAPS or FIPS140-2 cryptographic standards such as the Kingston DataTraveller (available from University approved suppliers Insight and Misco). This is in line with requirements of the NHS e-Health directive.
2a) Windows Only: use a standard storage device, with Windows BitLocker USB Encryption (PDF).
3) Cross Platform: use a standard storage device with VeraCrypt encryption software, or other equivalent strong encryption software. Note VeraCrypt was formerly known as "TrueCrypt".
- Download VeraCrypt
- Preparing an Encrypted USB Flash drive for use with VeraCrypt (PDF)
- Using a VeraCrypt Encrypted USB Flash Drive (PDF)
Notes on encryption methods
The advantage of (1) is in simplicity of use, but these devices may be more expensive than ordinary ones. (2) is simple to use and free, but platform-specific. (3) allows interchange of data between Windows/Mac/Linux and is free, however it's necessary to become familiar with the software and use it correctly at all times.
The passwords used to protect data in all of these cases must conform to University Password Policy.
Other mobile storage media
Confidential data must not be stored or exchanged on portable media such as CDs, DVDs unless files are appropriately encrypted
IT Services recommends 7-Zip, which provides suitable strong encryption. This tool is installed by default on University Standard Staff Desktop (SSD), and can easily be downloaded for free anywhere else.
The passwords used to protect data in either of these environments must conform to University password guidelines.
- Most older Zip tools only provide weak encryption, and must not be used.
- Password protection features in applications including older versions of Word and Excel provide very little protection, and must not be used.
Data exchange with external organisations
Confidential data exchanged with external organisations (or individuals) should be appropriately encrypted.
Exchange of confidential data with other external organisations or individuals must be part of a protocol agreed in advance of the exchange. This agreement should include:
- A thorough risk assessment
- Transmission to be via encrypted communications
- The encryption password must meet the strength requirements of University Password Policy.
- The password must be communicated to the intended recipient via independent and secure means (in most cases it would be appropriate to phone the recipient, and provide the password after checking they are the right person)
- Equivalent security measures in place at the receiving organisation
Where any exchange of personal data is planned, the DP & FOI Office should be consulted.
Current versions of Microsoft Office offer a "password protect" feature which provides suitable strong encryption.
Where this is not appropriate (e.g using a non-MS Office file format, or many files are involved), 7-Zip provides a suitable alternative method for r encrypting file(s) before sending via web-based file transfer, or email (if small in size). This tool is installed by default on University Standard Staff Desktop (SSD), and can easily be downloaded for free anywhere else.
- Older versions of Microsoft Office (versions prior to Office 2007) and also older Zip tools only provide weak encryption, and should not be used.
Carefully check you're about to email the right people. This is especially important where confidential data are involved.
- Use your University email account for University business, as required by the IT regulations.
- When emailing confidential data, always take good care to check the recipient details are correct. Email software often automatically takes "guesses" at likely recipients, but this can very easily select an incorrect address.
- When replying, consider whether 'reply' or 'reply-all' is most appropriate. Does everyone need to know ?
- Know when to use 'Bcc' - avoid placing multiple addresses in the 'To' or 'Cc' fields if the recipients may not know each other, especially where the number of recipients is large. Failure to observe this will disclose every individual recipient's identity to all the other recipients, resulting in a breach of confidentially. Instead, place the recipients' addresses in the 'Bcc' (blind copy) field. Or, where emailing multiple recipients on a regular basis, set up a dedicated mailing list which also prevents disclosing recipients' identity and offers a number of other useful features.
- Where exchanging confidential data with external organisations by email, see section on data exchange with external organisations for requirements, including encryption.
- Some email software appears to offer a "recall" option; however in most circumstances this does not work, or requires the other person to agree. Once an email is sent, it's sent. You can't unsend an email, so always check the recipient details are correct before hitting send.
If you do send a confidential email to the wrong recipients, then you must contact the IT Helpdesk to report this immediately.
For further advice, please contact the IT Helpdesk.