Defining the University’s approach to keeping working areas and devices secure
This control procedure defines the University's approach to keeping working areas and devices secure, and directly supports the following statement from the Information Security Policy:
All assets (information, software, electronic information processing equipment, service utilities and people) will be documented and accounted for.
Owners will be identified for all assets and they will be responsible for the maintenance and protection of their assets.
This procedure is intended to be read and understood by all users accessing University information, IT systems, networks or software using any University or personally owned device.
The University recognises that material left unattended (e.g. on a printer or in an unlocked cupboard) is more susceptible to damage, disclosure or theft, particularly outside of office hours.
Documents containing SENSITIVE information according to the University’s Information Classification Scheme should be locked away when not required, especially when the office is empty. Printing should be removed from printers immediately and not left for others to pick up.
Documents should be disposed of in the confidential waste bins or shredded according to the University’s Information Classification Scheme. No sensitive documents should be placed in the general waste.
Where possible, pedestals and/or shared cupboards should be locked when left unattended.
There is a risk that information could be viewed by unauthorised users if left on an unlocked, unattended computer screen. Screens can easily be locked when not in use by using Ctrl/Alt/Del and Enter or the Windows key and ‘L’ for Windows computers, or Control/Shift/Power for Macs. This should be done whenever a screen is left unattended.
Screens will automatically lock after a period of 30 minutes when inactive.
Care should be taken when working away from the office, including at home, to ensure that the same guidelines are followed. Always be aware of others being able to view University material by ‘shoulder surfing’, especially when on public transport or in public locations such as cafes.
All removable media devices including laptops and mobile phones containing SENSITIVE data should be stored within a secure room or cupboard when not in use.
Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.
Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Security Board.
This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.
A review of this policy will be undertaken by the Information Security Manager annually or more frequently as required, and will be approved by the Information Security Board.