Call IT Support Email IT Support

Information Security FAQs

Frequently asked questions about how we keep our data and information safe and secure.

General information security FAQs

How can I securely send information outside the University?

Consider the type of information you need to share externally:

  • The amount of information you need to share – do you need to share it all or can you just share a sample?
  • Can you anonymise the information so no student or staff members are identifiable from the data in question?
  • Is the information particularly sensitive? For example, does it concern ethnicity, disability, or an individual's exceptional factors?
  • Why are you sharing this information with the external party? Do you have a clear business need?

Next, think about the best way to secure the information before sending it.

Read our guide to encrypting files and documents

How can I securely share information outside the University?

Questions to ask yourself:

  • Do you need to share information regularly with this third party or is this just a one off situation?
  • What type of information are you about to share? It is particularly sensitive information such as specific data about students or staff?

OneDrive for Business will allow you to share files securely with your colleagues and students via the web from any device, wherever you are.

OneDrive should not be used as a storage tool and files should be removed from it as soon as possible afterwards.

Other alternatives include the use of encrypting your document and sending it externally or considering whether the information you need to share can be limited or anonymised to prevent the sharing of large amounts of information externally.

How do I report an information security incident?

Confirmed or suspect information security breaches should be reported promptly to the Information Security team either in person, over the telephone or by email. Contact details are:

Examples of incidents that require reporting include:

  • Accidental loss or theft of sensitive data or equipment on which such data is stored (e.g. loss of laptop, paper records)
  • Unauthorised use, access to or modification of data or information systems (e.g. sharing passwords to gain access to access or change information)
  • Unauthorised disclosure of sensitive or confidential information (e.g. email sent to wrong individual or sensitive document sent to incorrect address or individual)
  • Compromised user account (e.g. account details obtained through phishing)
  • Successful or unsuccessful attempts to gain unauthorised access to University information and/or information systems
  • Equipment failure
  • Malware infection
  • Disruption to or denial of IT services

I'd like some further training on information security.

You can access the existing e-Security training that we have which covers all aspects of information security.

Alternatively if you would like some face to face training please contact the Information Security Team with further details of your requirements.

e-Security training (Log in to Moodle required)

We are about to replace our existing system with a new piece of technology – are there any information security questions I should ask?

Any new service or system must initially start as a Project to ensure areas like information security concerns are covered. Initial questions we would look for answers to include:

  • What data is going to be processed by the system? i.e student data, staff data, payroll information?
  • Have you completed a Data Privacy Impact Assessment (DPIA)? Please refer to the DPIA Screening Questionnaire to determine whether a DPIA is required. If you answer yes to any of the questions then a DPIA must be undertaken. Please contact Legal Services for advice on the completion of a DPIA
  • Where will the data likely be stored? i.e MMU servers or a third party?
  • What security considerations have been given to the hosting requirements?

Significant assurance can be taken from the presence of current and suitably-scoped certifications: ISO 27001 for information security management; ISO 22301 for business continuity management; ISO 27017 for cloud security; Cyber Essentials (mainly for HMG departments or providers of services to HMG). The Information Security Manager will be able to offer advice on the suitability of or necessity for certifications.

  • Has retention and disposal of the data being processed been considered?
  • Will data be encrypted at rest?
  • If data is being transmitted then what method is going to be used?
  • Will it be encrypted in transit?

For further advice on the security requirements for new systems and services please contact a member of the Information Security Team.

I've received a suspicious email – what should I do with it?

Phishing in particular is an increasingly common problem.

Phishing is a variety of spam which tries to trick you into giving up your username, password, bank PINs etc.

This kind of personal data will allow the phisher to gain access to your account and steal your money or even your identity.

Do not click on any unknown links or attachments if you feel the email is suspicious. For further assistance:

  • Contact the IT Helpline
  • If that email contained a request for login or financial details, forward it to the IT Helpline
  • If you get repeated spam mail from the same source then send it to your Junk folder to avoid receiving any more

If in any doubt, contact the IT Helpline for advice on 0161 247 4646.

The Helpline will be able to arrange an anti-virus check of your machine to ensure your data is secure.

Learn about suspicious emails

I received a call from someone claiming to be from a large company and wanting to access my computer. What should I do?

If you receive a phone call you don’t feel comfortable with, do not give any information and end the conversation.

You can always ask further questions about the nature of the call and why they are calling you specifically in order to try and ascertain who you are speaking to and whether it is a legitimate telephone call.

Do not provide the caller with any details or information about the University where you are unsure who you are speaking to.

If in doubt, ask them to contact you via email confirming who they are and why they are looking to speak with you.

What do I need to know about Meltdown and Spectre security flaws?

You may have seen press reports  detailing two IT security vulnerabilities, referred to as Meltdown and Spectre. These vulnerabilities could allow an attacker to steal data, and they affect almost all modern computing devices. At the moment there are no reports of attackers exploiting the vulnerabilities, but the likelihood of this happening increases day by day. For more information you can search online or check out this BBC article.

The University is taking steps to treat the risk by applying security patches as they become available, and once they have been thoroughly tested. We are monitoring third parties to take assurances about their approach to patching.

As with most major IT vulnerabilities, all our staff and students should ensure that they apply all available updates to their personal devices, focusing particularly on the operating system and any anti-virus programmes.

If you have any concerns, please contact the IT Helpline on 0161 247 4646.

Calendar retention FAQs

What happens to recurring items in my calendar?

Recurring items are judge based on their final end date – 2 years after this they are removed. If there is no end set, they are not removed.

What changes will I notice as a user?

Apart from reclaiming some mailbox, there will be no obvious changes for users – the deletion process is seamless and takes place each night.

Why are we implementing calendar deletion?

This is the first step in a process of taking a more active and responsible approach to managing our email data across the University. The requirements for this are as much governance related as they are technical. 

Can I recover calendar data that is deleted?

The data is recoverable in line with Exchange deleted items (90 days) should something be deleted which you later need. However, we would only encourage you to do this where absolutely necessary. You should take time now to save anything you need in the future for business reasons. 

What do I need to do ahead of these changes?

Nothing, this change is mandatory. However, in the unlikely event that you regularly refer to data inside calendar items from over 2 years ago, this should be removed and saved in a more appropriate location. 

Can I opt out of this?

No, this is a mandatory change being made by the Information Security team will the full backing of the Information Security Board. 

When will the change take place?

The change will be rolled out against all MMU mailboxes in the week commencing 11 December 2017.

Information classification FAQs

Is this a brand new scheme?

No, the University previously had an Information Classification Policy but we recognised that this was not widely being used and needed to be simplified. The updated version simplifies our approach to classification of information and provides clear instructions around handling requirements. 

Do I have to go through historical documentation to apply any new markings?

No, we recognise that historical documentation will not be marked in line with this version of the classification scheme. Any amendments to old versions should reflect the new scheme, as appropriate, but the Information Security team is more than happy to discuss this with you directly and provide advice on what action you may or may not need to take. 

We use a set of standard templates that when completed will fall into the SENSITIVE category – should we amend the templates to reflect the SENSITIVE marking?

Yes – this is definitely something that will benefit you going forward. It will mean you do not need to do it on an individual document by document level and will act as a clear reminder for staff to consider how that information is then subsequently handled in line with the classification scheme. 

I work with information that falls into the PUBLIC or INTERNAL category – do I have to change the way I handle that information?

Information that falls into the PUBLIC category only needs to be visibly marked as such on internal copies. This doesn’t affect information published on the website for example. This information is generally intended for public distribution but you should always consider any embargoes that might apply prior to publication.

INTERNAL information will be the majority of University information. It does not require any visible marking but things like encryption should be considered despite it not being mandatory. Information of this nature should be stored securely with the usual care taken to avoid loss, unauthorised disclosure etc.

For more specific handling requirements please see Annex B of the Information Classification Control Procedure.

Need IT Support?

The IT Helpline team is on call 24 hours a day, 7 days a week.

Or come see us weekday afternoons at the University library.

Support
LIVE CHAT