General Information Security FAQs

  • How can I securely share information outside the University?

    Questions to ask yourself: 

    • Do you need to share information regularly with this third party, or is this just a one-off situation?
    • What type of information are you about to share? Is it particularly sensitive information such as specific data about students or staff e.g. ethnicity, disability, an individual’s exceptional factors etc.?
    • Can you anonymise the information, so no student or staff members are identifiable from the data in questions?
    • Why are you sharing this information with third party? Do you have a clear business need?

    Next, think about the best way to secure the information before sending it.

    OneDrive will allow you to share files securely with your colleagues and students via the web from any device, wherever you are. 

    Other alternatives include the use of encrypting your document and sending it externally or considering whether the information you need to share can be limited to prevent the sharing of large amounts of information externally. 

  • How do I report an information security incident?

    Confirmed or suspect information security breaches should be reported promptly via the Information Governance Incident Assist form

    You can find guidance on how to complete the form here

    Examples of incidents that require reporting include: 

    • Accidental loss or theft of sensitive data or equipment on which such data is stored (e.g. loss of laptop, paper records) 

    • Unauthorised use, access to or modification of data or information systems (e.g. sharing passwords to gain access to access or change information) 

    • Unauthorised disclosure of sensitive or confidential information (e.g. email sent to wrong individual or sensitive document sent to incorrect address or individual) 

    • Compromised user account (e.g. account details obtained through phishing) 

    • Successful or unsuccessful attempts to gain unauthorised access to University information and/or information systems 

    • Equipment failure 

    • Malware infection 

    • Disruption to or denial of IT services 

  • I've received a suspicious email – what should I do with it?

    Phishing in particular is an increasingly common problem. 

    Phishing is a variety of spam which tries to trick you into giving up your username, password, bank PINs etc. 

    This kind of personal data will allow the phisher to gain access to your account and steal your money or even your identity. 

    Do not click on any unknown links or attachments if you feel the email is suspicious. For further assistance: 

    • Contact the IT Helpline 

    • If that email contained a request for login or financial details, forward it to spam@mmu.ac.uk 

    • If you get repeated spam mail from the same source then send it to your Junk folder to avoid receiving any more 

    If in any doubt, contact the IT Helpline for advice on 0161 247 4646. 

    The Helpline will be able to arrange an anti-virus check of your machine to ensure your data is secure. 

    Learn about suspicious emails 

  • I received a call from someone claiming to be from a large company and wanting to access my computer. What should I do?

    If you receive a phone call you don’t feel comfortable with, do not give any information and end the conversation. 

    You can always ask further questions about the nature of the call and why they are calling you specifically in order to try and ascertain who you are speaking to and whether it is a legitimate telephone call. 

    Do not provide the caller with any details or information about the University where you are unsure who you are speaking to. 

    If in doubt, ask them to contact you via email confirming who they are and why they are looking to speak with you. 

  • I'd like some further training on information security (STAFF ONLY)

    You can search for Information Security, Email Management and Phishing videos on our training platform, MetaCompliance, including the Information Security Awareness and Raising Phishing Awareness courses. 

    Alternatively, if you would like some generic or bespoke training, either face to face or virtually, please contact the Information Security Team with further details of your requirements. 

  • We are about to replace our existing system with a new piece of technology – are there any information security questions I should ask? (STAFF ONLY)

    Any new service or system must initially start as a Project to ensure areas like information security concerns are covered. Initial questions we would look for answers to include: 

    • What data is going to be processed by the system? i.e student data, staff data, payroll information? 

    • Have you completed a Data Privacy Impact Assessment (DPIA)? Please refer to the Data Protection Assessment Procedure to determine whether a DPIA is required. Please contact Legal Services for advice on the completion of a DPIA 

    • Where will the data likely be stored? i.e MMU servers or a third party? 

    • What security considerations have been given to the hosting requirements? 

    Significant assurance can be taken from the presence of current and suitably scoped certifications: ISO 27001 for information security management; ISO 22301 for business continuity management; ISO 27017 for cloud security; Cyber Essentials (mainly for HMG departments or providers of services to HMG). The Chief Information Security Officer will be able to offer advice on the suitability of or necessity for certifications. 

    • Has retention and disposal of the data being processed been considered? 

    • Will data be encrypted at rest? 

    • If data is being transmitted, then what method is going to be used? 

    • Will it be encrypted in transit? 

    For further advice on the security requirements for new systems and services please contact a member of the Information Security Team