Frequently asked questions about how we keep our data and information safe and secure.
Next, think about the best way to secure the information before sending it.
Questions to ask yourself:
OneDrive for Business will allow you to share files securely with your colleagues and students via the web from any device, wherever you are.
OneDrive should not be used as a storage tool and files should be removed from it as soon as possible afterwards.
Other alternatives include the use of encrypting your document and sending it externally or considering whether the information you need to share can be limited or anonymised to prevent the sharing of large amounts of information externally.
Confirmed or suspect information security breaches should be reported promptly to the Information Security team either in person, over the telephone or by email. Contact details are:
Examples of incidents that require reporting include:
You can access the existing e-Security training that we have which covers all aspects of information security.
Alternatively if you would like some face to face training please contact the Information Security Team with further details of your requirements.
Any new service or system must initially start as a Project to ensure areas like information security concerns are covered. Initial questions we would look for answers to include:
Significant assurance can be taken from the presence of current and suitably-scoped certifications: ISO 27001 for information security management; ISO 22301 for business continuity management; ISO 27017 for cloud security; Cyber Essentials (mainly for HMG departments or providers of services to HMG). The Information Security Manager will be able to offer advice on the suitability of or necessity for certifications.
For further advice on the security requirements for new systems and services please contact a member of the Information Security Team.
Phishing in particular is an increasingly common problem.
Phishing is a variety of spam which tries to trick you into giving up your username, password, bank PINs etc.
This kind of personal data will allow the phisher to gain access to your account and steal your money or even your identity.
Do not click on any unknown links or attachments if you feel the email is suspicious. For further assistance:
If in any doubt, contact the IT Helpline for advice on 0161 247 4646.
The Helpline will be able to arrange an anti-virus check of your machine to ensure your data is secure.
If you receive a phone call you don’t feel comfortable with, do not give any information and end the conversation.
You can always ask further questions about the nature of the call and why they are calling you specifically in order to try and ascertain who you are speaking to and whether it is a legitimate telephone call.
Do not provide the caller with any details or information about the University where you are unsure who you are speaking to.
If in doubt, ask them to contact you via email confirming who they are and why they are looking to speak with you.
You may have seen press reports detailing two IT security vulnerabilities, referred to as Meltdown and Spectre. These vulnerabilities could allow an attacker to steal data, and they affect almost all modern computing devices. At the moment there are no reports of attackers exploiting the vulnerabilities, but the likelihood of this happening increases day by day. For more information you can search online or check out this BBC article.
The University is taking steps to treat the risk by applying security patches as they become available, and once they have been thoroughly tested. We are monitoring third parties to take assurances about their approach to patching.
As with most major IT vulnerabilities, all our staff and students should ensure that they apply all available updates to their personal devices, focusing particularly on the operating system and any anti-virus programmes.
If you have any concerns, please contact the IT Helpline on 0161 247 4646.
Apart from reclaiming some mailbox, there will be no obvious changes for users – the deletion process is seamless and takes place each night.
This is the first step in a process of taking a more active and responsible approach to managing our email data across the University. The requirements for this are as much governance related as they are technical.
The data is recoverable in line with Exchange deleted items (90 days) should something be deleted which you later need. However, we would only encourage you to do this where absolutely necessary. You should take time now to save anything you need in the future for business reasons.
Nothing, this change is mandatory. However, in the unlikely event that you regularly refer to data inside calendar items from over 2 years ago, this should be removed and saved in a more appropriate location.
No, this is a mandatory change being made by the Information Security team will the full backing of the Information Security Board.
The change will be rolled out against all MMU mailboxes in the week commencing 11 December 2017.
No, the University previously had an Information Classification Policy but we recognised that this was not widely being used and needed to be simplified. The updated version simplifies our approach to classification of information and provides clear instructions around handling requirements.
No, we recognise that historical documentation will not be marked in line with this version of the classification scheme. Any amendments to old versions should reflect the new scheme, as appropriate, but the Information Security team is more than happy to discuss this with you directly and provide advice on what action you may or may not need to take.
Yes – this is definitely something that will benefit you going forward. It will mean you do not need to do it on an individual document by document level and will act as a clear reminder for staff to consider how that information is then subsequently handled in line with the classification scheme.
Information that falls into the PUBLIC category only needs to be visibly marked as such on internal copies. This doesn’t affect information published on the website for example. This information is generally intended for public distribution but you should always consider any embargoes that might apply prior to publication.
INTERNAL information will be the majority of University information. It does not require any visible marking but things like encryption should be considered despite it not being mandatory. Information of this nature should be stored securely with the usual care taken to avoid loss, unauthorised disclosure etc.
For more specific handling requirements please see Annex B of the Information Classification Control Procedure.
The IT Helpline team is on call 24 hours a day, 7 days a week.
Or come see us weekday afternoons at the University library.