Introduction

The Department of Engineering and the University of Cambridge acknowledges that many staff access the University’s facilities and data using their own personal devices (often referred to a BYOD or Bring your own device).

Since the pandemic, the Department of Engineering and the University of Cambridge also recognise that much of the University business is conducted remotely, either from staff homes, or from other places not designated University buildings and so not with University-managed wired or wireless networks and IT facilities.

The Department of Engineering’s data (whether belonging to the University of Cambridge or held in trust on behalf of its collaborators, researchers, technicians, clients or business partners) are important assets: improper disclosure, modification or destruction of these assets may result in harm to the University.

For this reason, the Department of Engineering’s data must be protected according to its value and the degree of damage that could result from its misuse, unavailability, destruction, unauthorized disclosure or modification.

 

Purpose

This document explains the importance of all staff of the Department of Engineering complying with data protection laws (UK GDPR 2021) and keeping safe online to prevent compromising the information or IT facilities of the Department of Engineering and the University of Cambridge, while working on personally-owned devices and while working remotely.

This policy should be read alongside the more general University Covid-19 Homeworking Protocol and alongside the Information Security Best Practice for Working from Home.

 

Scope

Information

It is intended that information is protected in whatever form, including, but not limited to, paper documents, electronic data and the spoken word. Information should be protected while at rest and when it is handled, processed, transmitted or conveyed.  

IT Assets

IT assets include all devices and hardware/software components of the IT infrastructure, applications and data stores. 

Users

This policy relates to all members of Engineering Department staff and students working on or with University IT assets and facilities of the Engineering Department and the University of Cambridge. 

 

Policy Statements

Motivation 1

The Department of Engineering and the University of Cambridge’s data must be protected when staff are working on personally-owned devices (BYOD) from home or from a place not designated as a University building and thus not using the University-managed wired or wireless networks and IT facilities.

Policy 1

All personal devices (BYODs) used for University business must be appropriately protected, kept up-to-date and disposed of securely.

Guidance on appropriate protection of University data on your personal device

For all mobile computing devices, this means:

• Use approved applications to access University systems and data (e.g. Outlook, MSTeams app, Office365) 
• Change any default passwords for all user and administrator accounts on your device 
• Use an up-to-date malware protection that updates daily, scans files automatically upon access and web pages you visit and warns about accessing malicious websites. Products are available free of charge from the University 
• Enable the local firewall 
• Be aware of your surroundings and protect yourself from shoulder surfing. 
• Minimise the University data you store on your device and try not to hold any University personal or confidential data. It is recommended that all University personal and confidential data is held on University systems and that you access them via your device without downloading University data to your device directly. However, if you have to, then: 

• • encrypt your device (see If you store personal data on portable systems or devices, the device should be fully encrypted and How to check if your laptop is encrypted) 
  • do not leave your device unattended in a public place (except for repair, and in this case, ensure the repair company gives a guarantee regarding secure handling of the data on the device) 
  • Consider not taking the device into countries without adequacy of data protection regulation (i.e. outside EEA and not to countries on this list), if the device holds any University personal data, even if fully encrypted. 
  • set up the remote lock, auto-wipe and locate features, in an emergency or if your device is lost or stolen 
  • consider setting up ‘auto history wipe’ (or similar) for deleting your browser history every time your browser starts. 
  • report loss or theft of your device immediately if your device holds University personal or confidential data. 

• Wipe all University data from the device before disposing of it or dispose of the device where you have a guarantee that the data on the device will be securely erased. 

Additionally, if your device is a mobile phone or a tablet, this means:

• Ensure the device a security posture which is current and up-to-date and enable the University to manage access to university data
• Use a PIN or Passcode greater than or equal to 6 characters in length, or a biometric (fingerprint, face scan etc), to unlock the device. If the PIN or passcode accesses University resources and data, then this PIN or passcode must be greater than 8 characters in length.  
• Only download apps from an official app store, ensuring all apps are digitally signed by the official source, and remove or disable any apps that you know you will not use. 
• Do not undermine the security of the device, for example by ‘jail-breaking’ or ‘rooting’ a smartphone. 
• Consider configuring your device not to connect automatically to unknown wireless networks. 

Additionally, if your device is a laptop/desktop this means:

• Separate University data (including research data) from your home data by setting up another user account 
• Always use the clear screen policy and set your device to ‘auto-lock’ after a set time, but less than 15 minutes 
• Use an operating system that is supported by the software vendor and set it to update automatically 
• choose a strong password, keep your password safe and consider using a password manager
• Only download software from a reputable source, ensure the software is digitally signed by the official source, and remove or disable any software that you know you will not use 
• Be aware of your surroundings and protect yourself from shoulder surfing 

Policy 2

All remote access to the Department of Engineering and the University of Cambridge on-premise systems or services must be via an approved VPN connection, secure shell connection via gate.eng.cam.ac.uk, or other approved remote access means.

Policy 3

Use the Department of Engineering or University’s email system for University business whether working remotely or using your own device. Do not use your personal email account(s) for University business

Policy 4

No confidential or personal data are to be emailed in the body of an email, and no confidential or personal data are to be emailed in an attachment to an email, without the appropriate security.

Guidance

When managing emails including reading a document sent via email, Outlook will store it to a temporary folder and it will remain there until the document is saved or deleted from the folder. To avoid this, we recommend that you save the document immediately to an appropriate storage location.

If the document cannot be saved securely, it must be removed as part of the logging out procedure.

Rather than sending documents in an attachment via email to share the information, place the documents in a Department of Engineering or University shared drive (e.g. IFS, OneDrive) and then send a link to the documents to share them. 

If you have to email personal or confidential data, then encrypt the email and/or the attachment.

There may be department or team specific guidance where dealing with sensitive or confidential data that supersedes these guidelines, so please follow local advice in addition to this.

Policy 5

USB sticks or pen drives must not be used to transfer data, unless they are encrypted.  

Guidance

USB sticks or pen drives are easily dropped or lost and could result in harm to the University. If you put your data on the University’s central systems, you can give access to others within Cambridge and elsewhere. See File storage and sharing for further options.

Policy 6

Cyber Security Training must be completed before using a personally owned device to connect to confidential data of the Department of Engineering or the University of Cambridge, or to connect to such data remotely, using a University-managed or owned device.

Guidance

Remember to report all incidents including suspected data breach and always use a different device, to contact about a compromised device or an account rather than using the one that could be compromised.

See training modules in your MyCompliance library and the University’s Cybersecurity training.

More information on how to spot a suspect email and how to stay safe online is available in the NCSC guidance on dealing with a suspicious email and UK safe online guidance.

Policy 7

We recommend users abide by the Clear Screen and Clear Session Policies where possible:

Clear screen policy: every time you leave your desk, lock your computer.

Clear session policy: when you finish working for the day

1. If working on a single-access device, whether owned personally or by the University:
   1. log out from all your sessions
   2. If there are any security patches waiting, apply them, update and shut down
2. If working on a shared access device, whether owned personally or by the University:
   1. clear all data from the download folder
   2. clear all data from your temporary folders in emails
   3. clear all data from areas you may have temporarily saved on your device
   4. log out from all your sessions
   5. if there are any security patches waiting, apply them, update and shut down

Policy 8

All users must access information only for which they have been authorized and must use the information in an acceptable manner, when working remotely.