Information Protection and Handling Policy

Introduction

Information and IT systems are critical assets to our University. The risk that the loss, theft, or corruption of our information assets could have severe reputational, financial, competitive, or disruptive impacts on our University. Increasing dependency on the Internet coupled with advances in technology has made information more attractive to cybercriminals and more portable. Often, cybercriminals will exploit the behaviour of employees. Our adoption of the correct behaviours in handling and protecting our assets is, therefore, essential.

Our IT systems include computer equipment, mobile devices, Email, and Internet access provided for organisation purposes. Systems are monitored to help defend against malicious activity, including cyber-attacks.

Failure to protect and handle our information and systems in a way that reflects its value and sensitivity is taken very seriously. It may result in disciplinary action, which could lead to dismissal or legal proceeding.

Scope

  • This Policy applies to ALL of our University’s information in whatever form, including paper, digital or verbal, wherever created, collected, stored, processed, transmitted or destroyed
  • This Policy applies to ALL our IT systems, including networks, computer systems and files, servers, PC’s and mobile devices, wireless connections, Email, voice mail and the Internet.
  • This Policy applies to ALL our employees, contractors and University partners using or managing our information in any location or jurisdiction
  • Our Communication and Acceptable Use of Equipment Policy supports this Policy

Requirements

All information is classified according to the potential impact on our organisation if it were lost, stolen or corrupted. The three classifications are shown below. Reference also, our Data Classification Policy.

  • Confidential – Information that, if compromised, could be detrimental to the interests of our organisation or cause significant difficulty or embarrassment to our organisation or its employees
  • Internal – Information that may be shared throughout our organisation but not approved for release into the public domain
  • Public – Information explicitly approved for release into the public domain or information that is already available to the public

Only reclassify information for which you are the Information Owner.

Only access information where you are authorised to access by the Information Owner.

Think twice before clicking on any link or opening any suspicious emails

  • Be on the lookout for phishing emails. Be wary of emails that you have not solicited and always verify the source
  • Never disclose your password, regardless of who requests it
  • Be cautious about clicking on links to content on non-organisation websites
  • If unsure, check with your line manager or IT team.

Create strong passwords and keep them secure

  • Do not write down your passwords
  • Create a password with a mixture of uppercase, lowercase, numbers, and special characters
  • Remember, it is your password, and you will be held accountable for all actions performed on our systems using your account

Keep your workstation clean and your screen clear

  • Never leave confidential information unattended at your workstation. When not in use, it should be secured in the appropriate lockable cabinet
  • At the end of each workday, lock away all portable devices
  • Before leaving your workstation, activate your screen lock
  • Use a monitor privacy filter screen if working with sensitive information
  • Never leave printouts in printer trays

Practice discretion when you are in public or online

  • Take care when you are in public, and you are discussing our organisation’s information
  • Identify all participants in a teleconference that discusses Confidential information
  • When sending an email, check that all recipients are authorised to receive the information
  • Please don’t use personal instant messaging services or personal Email to conduct our organisation’s business
  • Never use organisation systems to deliberately access, store, transmit or publish sexually explicit material, harassing, defamatory, promotes terrorism or intolerance, or that is in any way inconsistent with our organisation’s policies
  • When posting online, never offer opinions on behalf of our organisation unless authorised
  • Always treat external social media sites as if they were publicly accessible. Never disclose Internal or Confidential information

Secure and Protect our Information Assets

  • You must receive authorisation before classifying information as Public
  • Handle Internal and Confidential information appropriately
  • Do not use voicemail or text messaging systems to communicate Confidential information
  • Only store our organisation’s information on organisation approved applications and services, including those hosted on the Internet or cloud
  • You must receive authorisation from IT before implementing or using new ‘off the shelf’ solutions. You shall accept that our organisation’s IT systems are provided for organisation purposes and monitored to help our organisation defend against malicious activity, including cyber-attacks
  • Where limited personal use of our organisation’s IT systems has been allowed, you shall
    • Not make personal use of an unreasonable amount of our organisation’s network or other technology resources (e.g. to stream audio or video, download or store large files, or large amounts of printing)
    • Not allow personal use to interfere with your productivity or the productivity of others who are doing our organisation’s work
    • Not violate copyright, data protection regulations, or licensing arrangements (e.g. file-sharing of content protected by copyright)
    • Not use our organisation’s IT systems and services to run or support a private business
    • Not use our organisation’s IT systems and services to distribute spam, personal solicitations, or unsolicited advertising
    • Not assume that the organisation should store or recover personal content saved on our organisation’s IT systems
    • Not break local laws, cause harm or offence to others or negatively impact our organisation’s reputation or interests:
  • Do not modify or remove pre-installed security functionality on our organisation’s IT systems
  • It would help if you kept personal devices used to access our organisation’s information up to date with the latest security updates from reputable suppliers
  • Do not connect untrusted removable media devices to our organisation’s IT systems (e.g. free promotional USB devices from third parties)
  • When travelling, keep our organisation’s information and portable devices holding our organisation’s information with you or locked in a safe location
  • You shall return our organisation’s information and IT equipment, including portable devices and removable media, to your Line Manager upon the termination of your employment or contract
  • Be aware of the security requirements for visitors to our offices
  • You shall ensure that all employees, contractors, or our organisation’s partners for whom you are responsible are aware of this Policy and that you revoke access to our organisation’s information within two days for users that leave our organisation or move to a different role.

If it looks suspicious, report it to IT or your Line Manager

  • You must immediately report the following to IT or get assistance from your Line Manager
  • Theft or loss of our organisation’s computers, portable devices, storage devices or documents Suspicious calls or requests for our organisation’s information
  • A suspicious and foreign device that may have been attached to your computer
  • Signs of unauthorised access, for example, unexplained pop-ups or requests for credentials

Information Handling

We shall access/share/transmit/delete Confidential information as follows:

Via email

  • Email sent externally must be encrypted
  • Where email encryption is not feasible, attachments must be encrypted with a strong password. Do not share any of the message content in the body of the Email if the Email cannot be encrypted.
  • Do not put ‘Confidential’ in the email subject line
  • Mark email calendar appointments as ‘Private.’
  • Ensure that the Email is sent to the correct recipients
  • Never use personal email accounts for our organisation’s business
  • Never create rules to auto-forward our organisation’s email to personal accounts
  • Include our disclaimer in all Email

Via voice or video

  • Discuss confidential information in private meeting rooms, face-to-face or telephonically
  • Do not leave confidential information as voicemail or text messages
  • Take a roll call during a teleconference to confirm the number of lines as well as the identities of participants
  • Never use hotel phones

Via fax

  • The use of fax is NOT permitted

Via photocopy or Print

  • Permission of the Information Owner is required before printing. Information Owner’s details must be included on printouts
  • Use only our organisation’s printers or copiers
  • Printouts and copies must be immediately removed from the printer

Via a courier

  • Only use a courier University which our organisation has accredited
  • Maintain a formal, documented record of the sent package
  • Use two layers of tamper-evident packaging. Label the outer package ‘Private’ and the inner package ‘Confidential.’
  • Devices containing electronic information must be encrypted
  • The recipient must send written confirmation of receipt

Who can access it?

  • Restricted to authorised individuals on a need-to-know basis
  • Additionally, our organisation’s partners to have a non-disclosure agreement in place

How should I store it electronically?

  • Do not use the CONFIDENTIAL in the file name
  • Store on our organisation’s IT systems using our organisation’s approved applications and services, where access is restricted to specific users. For example, a local drive or an internal file-share such as SharePoint
  • Portable devices to have encryption enabled

How should I store it physically?

  • Never leave our organisation’s CONFIDENTIAL information unattended on your desk
  • When not in use, store in an approved, locked security cabinet, or with an approved storage vendor or in an approved storage cabinet, if working from home
  • Never leave documentation unattended in your vehicle
  • Contact our Organisation Security Manager for more information

How should I print or copy it?

  • Prints or photocopies to be made with the permission of the Information Owner Only print in our organisation’s offices
  • Information Owner must be identified on printed copies
  • Collect prints immediately from the printer
  • Follow-me printing services or PIN protection to be used where available

How can I travel with it?

Do not access or discuss in public areas

Keep the information or device with you or locked in a safe location when travelling

How should I destroy Confidential information?

  • Use a Confidential waste bin or cross-cut shredding or incineration for physical documents
  • Electronic devices to have the information permanently wiped or destroyed. Refer to our IT department

Review

This policy is dated on XX/XX/XXXX will be reviewed by STIU yearly or from time to time as necessary or upon development of the concerning technology to ensure effective and appropriate security measures, and in line with minimum legal requirements as prescribed by the laws and relevant authorities.