Information Security Guide
This guide provides security advice for those employees accessing University information using smart phones and tablet devices, whether they have been supplied by CIS or are personally owned.
An encryption feature is enabled by default on iPads (version IOS 4 onwards) and this cannot be disabled by the user. It ensures a high level of security when the device is locked. If your device is lost or stolen when locked, the information held on it will be safe from unauthorised access.
iPads (upgraded to version IOS 4) and the latest generation of android devices have the ability to encrypt but you must manually activate the feature.
However, when a device is unlocked, information becomes vulnerable to security risks. You can help to significantly reduce those risks by taking the following steps:
- Don’t carry any more information than is necessary on your device. Consider what might happen if the information was accessed by someone else and decide whether you really need to have it there.
- Encrypt information whenever possible.
- Information relating to the business of the University must be available to the University within its information systems, not stored on your device. Transfer business information to the shared drive at the earliest opportunity. The University must have available – and be able to back up - an audit trail of its business transactions.
- Delete all University information from your device before disposing of it or when you cease using it for University business.
- Ensure that your device has up-to-date security software installed, including a firewall. Install updates and security patches regularly. By default, Sophos software is installed on devices issued by CIS but other devices used for University business (except iPads, which do not require anti-virus software to be installed) should also have Sophos installed.
- Enable the free Find my iPad feature on your iPad. This will allow you to track your iPad if it should be lost or stolen.
- Use the Passcode feature to ensure that your device is locked when left unused for a specified length of time, or when it’s turned off.
- Set the Passcode feature to wipe the information held on your device after a specified number of failed attempts to unlock it.
- Where your device does not permit you to set a passcode of more than 4 digits, avoid setting a passcode comprising obvious number combinations, such as 1111 or 1234. Where your device has a Complex Passcode feature, set a passcode comprising a minimum of 6 alphanumeric characters.
- Don’t save passcodes or passwords on your device.
- Don’t jailbreak your Apple device/don’t root your android device.
- If you are considering using a wifi network, first consider whether the security risks associated with these networks are worth taking in relation to the confidentiality of the information you will be using.
- Whilst on Durham University’s campus, use the wifi network described as “Durham University” or “DU Wireless” (rather than the web authentication version) as this is the most secure.
- Beware of fake wifi hotspots. Use hotspots provided by trusted commercial operators, such as BT OpenZone or T-Mobile. Using your device to surf the internet increases security risks to the information held on it. If you use an insecure network, others could listen in or see the information on your device, hack in to access your personal details or infect your device with viruses or spyware.
- If using a home wireless network, set a password at point of entry so that you can control which devices can use your network. Refer to the instructions provided with your wireless router to find out how to do this.
- Use Bluetooth with caution and only pair with trusted devices.
- Only download apps from reputable stores, such as iTunes, Google Play, Amazon and GetJar.
- If you need to use a webpage to carry out a transaction involving confidential information, ensure that you use a secure webpage (the address will begin https:// and will have a padlock symbol in the address bar).
- Always use a VPN (virtual private network) when transferring information from your device to another device. This will ensure that a high level of encryption and security is in place. The iPad provides support for a number of VPN technologies, such as IPSEC and L2TP.
The University is unable to control access to (or apply security to) information stored in commercially available cloud-based solutions (such as iCloud or Dropbox). By default, iPads supplied by CIS do not have iCloud enabled. Uncontrolled use of cloud-based solutions would put you and the University at risk of breaching the Data Protection Act and would prevent the University from protecting intellectual property and commercially confidential information.
Cloud-based solutions should therefore not be used to store the following University information:
- Personal data and especially sensitive personal data
- Information critical to the key functions of the University
- Information that must be available immediately to the University
- Information that must be held securely with a level of assurance and an audit trail
- Information confidential to the University or to a third party
- Intellectual property.
For further information on data protection, please see: https://www.dur.ac.uk/data.protection/
For further information on IT security, please see https://www.dur.ac.uk/cis/security/