IT Good Practice Policy

The following IT Good Practice Policy is to ensure the secure use of University computing equipment and secure handling of personal data. This policy is applicable to all staff and students within the Department of Health Sciences. Staff members should ensure authorised collaborators using University computing facilities, or who may have access to data are informed and agree to abide by the following policy. The University Information Assurance Office is the lead for issues related to legal compliance, information security, records management, business continuity and risk management. Their website contains valuable information containing the latest policies and procedures relating to Information security. However, the good practice policy below attempts to provide individuals with a short introduction to procedures and policy.

  1. This Good Practice Policy contains information on:
Downloading and transportation of personal data
  • Before data is downloaded on to a laptop, flash drive, or other external device, STOP and justify to yourself why it is necessary for the personal data to be downloaded or transported.
  • Removal of confidential or personal data offsite is discouraged. Staff wishing to transport confidential or personal data MUST obtain authorisation from the Department Manager (do43@le.ac.uk 252 3206). Staff should make requests in writing stating why transportation of data is required, physical address of storage location, and identify any risks associated with transportation and offsite storage.
  • If there is a justifiable case (authorisation granted) for transporting personal data outside of secure University premises, all reasonable precautions should be taken e.g.  anonymization of data, encryption, the use of strong passwords, pass-worded screen-savers.
  • Please note transportation of personal data outside of the EEA (EEC plus Norway, Lichtenstein and Iceland) potentially breaches Principle 8 of the Data Protection Act. For further advice contact staff in the Information Assurance Office on ias@le.ac.uk or call extension 7946

 

Data Protection
Storage devices
  • Whether in the office or elsewhere, when not in use laptops, flash drives or other external devices that contain personal data must be locked away in drawers, cabinets, safes etc. Other physical security measures such as the use of Kensington cables should be considered as deterrents against the opportunistic thief.
Clear desk policy
  • Within the office every effort should be made to operate a clear desk policy, use screensavers, use “strong” passwords, the office door should be locked even when leaving the room for a short period.

    A clear desk policy includes ensuring all sensitive data is locked away when leaving the office for a lengthy period of time i.e. when leaving for lunch, meetings and at the end of the day.
Powering Off
  • At the end of the day you should be in the regular habit of powering down and completely shutting down your computer. Understandably there will be occasions where there is a need to run machines over night to process data. This is fine. However, bear in mind IT regularly conduct scheduled maintenance which may affect the servers. The Department attempts to keep staff notified of IT scheduled maintenance periods via email.
  • If you are not processing data you must shut down completely.

 

Data encryption
  1. It is essential that data provided to the University by external bodies or vice versa, is handled in accordance with the specific security requirements demanded by those third parties e.g. Department of Work and Pensions, Home Office, Ministry of Justice.  [Note that one of the key requirements being demanded with immediate effect is the encryption of data on portable devices. It is planned that that this will be a key element of the University policy in this area.]
  2. Ensure all sensitive data files are encrypted. Should you require any further advice or guidance regarding data security and encryption, please contact the Information Assurance Office, e-mail ias@le.ac.uk
    or call 229 7946
  3. To ensure your flash drive is secure you can protect the contents using 7-Zip 4.42 which is downloadable from CFS. 7-Zip offers compression of files with the ability to apply a password.  So basically nobody can uncompress and see the data without knowing the password.  7-Zip 4.42 can be downloaded from CFS by following these instructions:

    1. From your start menu "select" All Programs
    2. Navigate to CFS Software 2  "click" Select & Remove Software (this will open a new window)
    3. Locate and "select" 7-Zip 4.42 and "click" to add
    4. Once complete close out the window
    5. From your start menu "select" All Programs
    6. Navigate to CFS Software 2 then to the 7-Zip folder and select 7-Zip File Manager
    7. Navigate to the file or folder your want to password protect
    8. Select Add (in top left hand corner)
    9. If colleagues do not have 7zip on their home machine they should select archive format type "zip" so they can open the file/s under any windows machine
    10. Type a password into the password box
    11. Be aware that large folders/files may take some time, and it is advisable to select compression level “fastest” for these
    12. Select “OK”
    13. 7 Zip will then compress and password protect. Note the original file will remain in the drive/folder from where it was originally zipped
Disposal of data and/or computing equipment – includes laptops, towers, external drives, and any other media capable of storing data
  • Disposal of hardcopies that contain personal data should always be shredded either by using the office shredder or the secure shredding service –  to arrange shredding services please contact hsenquiries@le.ac.uk 252 5402.
  • Disposal of old desktop computers and laptops should be accomplished by logging a request with University IT Services (ITHelp@le.ac.uk or call 252 2253). IT Services will arrange disposal.
    Purchasing Computers and other storage media
  • If you are about to purchase a laptop, then consider one either with an encrypted hard disc drive. Contact the IT Services. IT staff will return your quote to you via email and recommend the location as to where the equipment should be delivered to.
  1. To purchase the equipment quoted, contact the Departmental Finance Assistant, Kerry Warner kw153@le.ac.uk (or call 252 3258) to raise a purchase order.  Please pay particular attention to delivery location recommended in your quote.
  2. Departmental Finance Assistant to notify ithelp@le.ac.uk once equipment has been ordered referencing the original quotation number, purchase order number and details of the order (this is to reduce potential queries. For example you may not order all items in the quote).
  3. Delivery of equipment:
    Option 1. If equipment is delivered to Central IT Support (as requested or instructed by Central IT staff on your quote) Central IT Support will forward delivery note to Departmental Finance Assistant for goods receipt and invoice verification. Central IT Support technicians will be notified of delivery and will therefore schedule installation.
    Option 2. If equipment is delivered to local site (as requested or instructed by Central IT staff on your quote) the local Unit Administrator to forward delivery note to Departmental Finance Assistant for goods receipt and invoice verification.
  4. Departmental Finance Assistant will update Departmental Asset register on SAP and arrange insurance of equipment valued at £500 or more. For help or advice regarding insurance please contact Departmental Finance Assistant.
  5. Upon notification of delivery whether by option 1 or 2 above, Central IT Services staff will arrange installation of equipment at local site.
Labelling of Equipment
  • All computing equipment should be labelled (i.e. machines should have a sticker with a HS-**** number printed on it) If not, please log a call to ITHelp@le.ac.uk or call 252 2253 to request the equipment record and logged as soon as possible.
University Equipment Usage
  • University equipment including laptops should be dedicated totally to University business use i.e. there should be no overlap with home/domestic use.
Storage of Electronic Files

Electronic files should be stored and saved to a network drive. A 'network' drive is like a local drive (see local drives below) except the data is not being saved to the machine in front of you - it gets saved to a remote location on the university server. The advantage of this being that if the machine you are working on blows up (stops working) then the work you've saved is in fact saved elsewhere and as such is safe. There are 3 basic network drives visible to users at the University of Leicester:

  • X: This drive is used as a 'departmental shared area'. It is basically 5 gigabytes (gb) of storage space available on the main university server for a department to use as a shared area for its staff members. The area is controlled and divided up by the Department IT contact. It is here that members of staff should store files and data that they want other people in the same department to be able to have access to.
    THE X: DRIVE IS BACKED UP AND AS SUCH IS A SAFE PLACE TO STORE CRITICAL DATA FOR SHARING.
  • Y: This drive is the 'software drive'. This drive is used as a place for the system files associated with the various software programs that run on your computer i.e. Word, Excel, Photoshop Elements, Dreamweaver, etc. It's basically off-limits and you should NOT be able to save anything here.
  • Z: This drive is what's called your 'CFS file store', the 300 megabytes (300 mb) of storage space that goes with your computer profile and moves with you from machine to machine. This area is where things that you save in your 'My Documents' folder are stored. Items saved on your desktop will NOT be included in this area, so saving to the desktop should be avoided. THE Z: DRIVE IS BACKED UP AND AS SUCH IS A SAFE PLACE TO STORE CRITICAL DATA WHICH IS NOT SHARED.

External Storage Devices

  • Whether in the office or elsewhere, when not in use laptops, flash drives or other external devices that contain personal data must be locked away in drawers, cabinets, safes etc. Additional security such as installing encryption software (see Data Encryption above) or strong passwords (see Clear Desk Policy above) should also be implemented. Physical security measures such as the use of Kensington cables should be considered as deterrents against the opportunistic thief.

Local Drives

  • Local drives are local to the machine you are using - in other words they are inside the machine in front of you. There are 4 local drives typically:
  • C: This is the main hard drive inside the computer. Unlike a home machine you should NOT save to this drive as it contains lots of vital system files. This includes trying to save to the temporary area on the C: drive called c:\temp. NOTHING ON THIS DRIVE IS BACKED UP AND IN THE EVENT OF A CATASTROPHIC COMPUTER FAILURE ANYTHING SAVED HERE WOULD BE LOST - IT IS THEREFORE ADVISED THAT PEOPLE DO NOT SAVE ANYTHING OF A CRITICAL OR PRIVATE NATURE ON THIS DRIVE.
  • D: This is another local drive that is in fact a part of your C: drive that has been partitioned off and is empty so that you can use it as a temporary store for files when you are using your machine. The amount of storage space varies and is dependent on the size of the original C: drive, larger drives will have a larger D: drive, smaller drives may have small or no D: drive. Do NOT save to this drive. NOTHING ON THIS DRIVE IS BACKED UP AND IN THE EVENT OF A CATASTROPHIC COMPUTER FAILURE ANYTHING SAVED HERE WOULD BE LOST - IT IS THEREFORE ADVISED THAT PEOPLE DO NOT SAVE ANYTHING OF A CRITICAL OR PRIVATE NATURE ON THIS DRIVE.
  • E: This is usually the drive letter assigned to the CD-ROM or DVD-ROM drive. Use it to access any CDs/DVDs that you want to read data off. Refer to ‘Transporting Data’ section above.
  • A: This is the computer's floppy disk drive. Use it to save small files to floppy disk. Refer to ‘Transporting Data’ section above.

 

Requesting Access to Folders

Members of Staff may need to gain access to additional folders stored in the departmental shared area of the X drive. For security purposes staff will need to:

  • Gain permission from the Group Lead/File Owner/Data Owner via email.
  • Forward email (containing permission) to the Departmental Manager (do43@le.ac.uk)
  • Departmental Manager will authorise IT Services to assign permission to the user
  • Any requests without the approval of the Group Lead/File Owner/Data Owner will NOT be authorised.

Please note the Department will attempt to obtain folder access authorisation for new staff starters from the recruiting staff member.

 

Security Incident Reporting
  • Information system security incidents (suspected or confirmed) relating to University of Leicester computers, data, networks or people should normally be reported to the IT Services Service Desk (252 2253 or ithelp@le.ac.uk). Where the matter to be reported is sensitive or urgent it may be reported to the Information Assurance Office ias@le.ac.uk 116 229 7946. Once the above notificaitons have occurred,  incidents should also be reported to the Departmental Manager do43@le.ac.uk 0115 252 3206.

Share this page: