Information Security FAQs

You can use your personal mobile device if the assignment ONLY has the student's ID number i.e. anonymous marking.  If you follow the Information Classification Flowchart the second question you are asked is "Are individuals identifiable from the information?" and in the case of anonymous marking the answer to this would be No so the information is classed as Non-Sensitive/Open.  However it is recommended that you do not transport or store student assignments on your personal mobile device but access them via: the VPN; the University Onedrive service; or the N and O drive accessed via the website.

Where assignments do contain the student name and ID number i.e. not anonymous marking then you should not use your personal mobile device to store or transport the assignments as this information is classed as 'Personal/Confidential' as an individual can be identified.  You must access them remotely via the VPN, the University Onedrive service, or the N and O drive accessed via the webmail. 

The Information Security Policy is not encouraging a 'clear desk policy'.  However there are some areas of the University which routinely manage personal or sensitive data where individual managers may choose to implement such a policy.

• Lock your computer when you are not at your desk by pressing Alt + Ctrl+Del all at once and then clicking on 'Lock'
• Create a strong password: making it 8 characters or more long, use lower and upper case letters, numbers and punctuation.  You can set up your own security questions for reseting your password by following this link.
• Clear your desk of any sensitive information when you leave the office, and lock it away

• Lock the door and windows when you leave the office

• Only save date in your department's shared drive, your N drive or the University's OnedriveforBusiness. Your desktop (C drive) is not backed up so you may lose your important data if you have computer trouble.

• If you need to throw out information that is classed as 'Highly Sensitive' or 'Personal/Confidential' then  put it in one of the Confidential Waste Boxes that are around the University or ask Facilities to tell you where the nearest one is.

If you need to access 'Highly Sensitive' or 'Personal/Confidential' Information from home or anywhere else, you need to do it securely, using one of the following methods:

• The University's Virtual Network Service (VPN)
• University of Worcester OneDriveforBusiness
• Access your N or O drive, via Webmail

Good practice would be:

• Don't leave it lying around where anyone could access it
• Password protect the date if its on a mobile device or memory stick. Use Rights Management Services to protect documents
• Don't work on the information in public (e.g. cafes, buses, trains etc)
• Make sure your mobile device is encrypted

Many of us rely on our phones and tablets on a day to day basis - so make sure you protect yourself:

• Keep devices physically secure and take reasonable measures to reduce the risk of theft or loss (e.g. keeping the device on your person andout of sight, do not leave unattended in hotel rooms etc)
• Secure access to devices using an appropriate passcode, passphrase or similar; where appropriate default settings hsould be changed to allow use of more advanced passcodes
• Set devices to automatically lock after a pre-defined period of inactivity (usually no more than a few minutes)
• Keep software on mobile devices up to date with the latest version
• Only install apps from trusted locations. For University owned devices this has to be through the IT Helpdesk
• Be careful who can read information when viewing in public areas
• Report theft or loss of mobile devices to the IT Helpdesk, Information Assurance (infoassurance@worc.ac.uk) and your department

If you are unsure if the information you are working on or accessing is classed as Highly Sensitive or Personal/Confidential then you need to look at the Information Classification and Handling webpage.

Here you will find a flowchart that helps you work out the category of your information and a table which gives examples of the different categories of information and how you can process and store them.

 'Cloud Services' is a general term for anything that involves delivering hosted services via the Internet. 

You may have encountered the Cloud as a way of storing information remotely i.e. iCloud, Dropbox, Google Docs.  However, some of the options are not secure and therefore careful consideration needs to be given when considering using a Cloud Service for University Information.

Any information classed as Highly Sensitive or Personal/Confidential should only be shared by the University's approved Cloud Service - OnedriveforBusiness.

Cloud Services such as Dropbox and Google Docs are not permitted for these categories of data/information as they are not secure, they are not hosted within the European Economic Area and are therefore not protected by EU Data Protection law.

 The University contracts out the disposal of confidential waste.  Information and data that is classified as 'Highly Sensitive' or 'Personal/Confidential' should be placed in the Confidential Waste disposal boxes which are placed around the University - not the plastic recycling boxes.

If you are unsure of the location of your nearest Confidential Waste Box please ask Facilities.

The boxes are emptied on a fortnightly basis and the contents shredded off site.

If your local Confidential Waste Box is full or you have a large quantity of confidential waste please contact Facilities who will arrange an additional collection.

Please do not shred your confidential waste - shredded paper causes issues for both the Confidential Waste Shredding service equipment and for normal waste collection service equipment.