< Previous page ^ Table of Contents Next page >

Information Data Security Policy: Notice

29 July 2002

1. Introduction

In response to the passing of the Data Protection Act 1998, the Council established a Data Protection Working Party to consider the issues and bring forward policy and procedural proposals to the central bodies. The Working Party reported to the Council in July 2000 inter alia on the need to have 'appropriate technical and organizational measures against the unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or change to, personal data'.

The Information Strategy Group, at its inaugural meeting in June 2001, reviewed the Information Data Security Policy, prepared by the Acting Director of the Management Information Services Division in conjunction with the Data Protection Officer, that was modelled on BS7799 and the recommendations of the Joint Information Systems Committee (JISC), a universities-wide committee, that institutions should 'adopt a short easily understood high level policy intended to be read and accepted by all staff and students'.

This Notice outlines the Information Data Security Policy statement and procedures that can also be considered as part of the response to the CAPSA discussion and the Shattock/Finkelstein recommendations.

It should be noted that detailed documents exist in a number of areas, for example the Joint Report of the Council and the General Board on guidelines for the acceptable use of computers (Reporter, p. 865) and the Information Technology (IT) Syndicate Rules (Statutes and Ordinances, p. 608). In order to have a consistent approach the information in these documents is not repeated here but Web addresses for the related documents are listed in section 4.

It should also be noted that specific information relating to University of Cambridge copyright has been omitted from this Notice as the Joint Working Party on Copyright have provided separate recommendations on that matter (Reporter, p. 80).

It is expected that the policy will be reviewed on an annual basis by the Information Strategy Group, who can be considered as having ownership of the policy.

2. Background

Information Security is characterized as the preservation of:

(a) Confidentiality: ensuring that information is accessible only to those authorized to have access;
(b) Integrity: safe-guarding the accuracy and completeness of information and processing methods;
(c) Availability: ensuring that authorized users have access to information and associated assets when required.

The term management information systems is used in a very general sense to include all computer systems used for administrative purposes. This not only includes centralized administrative computer systems but also academic and administrative departmental systems from servers to desktop computers used for administrative purposes.

Information security is achieved by implementing a suitable set of controls, practices, procedures and organizational structures, and software functions. This Notice sets out, or makes reference to, procedures relating to the information security that aim to ensure the above criteria are met.

These aspects include:

Physical security and access control

Storage and disposal of sensitive manual records

Network and system security and antivirus protection

Access control

Back up and recovery

Business continuity

Mobile access and teleworking

The Policy in brief

The Policy statement affirms the importance of University-wide access to information:

The University recognizes that all staff and students must have access to the information necessary to fulfil their responsibilities. Appropriate procedures will be put in place to enable staff to obtain authorized access to the information they need, in a manner that enables them to carry out their work effectively and efficiently.

However, it does so in the context of appropriate security measures and compliance with legal requirements:

Access to information must be provided in a secure manner that aims to protect the confidentiality and integrity of that information without compromise to associated information or raw data.

The University, its staff, and students will need to comply with all applicable laws including the Data Protection Act (1998), the Regulation of Investigatory Powers Act (2000), the Human Rights Act (1998), the Copyright Designs and Patents Act (1988), the Computer Misuse Act (1990), and the Lawful Business Practice Regulations.

3. Compliance with security requirements

This section provides advice relating to physical security and security of manual documents that are not necessarily covered by the documents referred to in section 4.

Sub-sections 3.1 and 3.2 apply to both staff and students whereas sub-section 3.3 relates to staff only.

Use of Systems

It is essential to note that not all computer systems within the University are appropriate for the storage of sensitive information. If in doubt, advice should be taken from the appropriate Computer Officer.

3.1 Physical security

3.2.1 Office security

Locking an office door and/or filing cabinet is a simple but effective first barrier, reducing the risk of unauthorized access. Even if the data is not sensitive, its destruction or unauthorized change can cause disruption, cost time and money, and may be a disaster for the staff or student concerned. Offices and cabinets containing sensitive information, or equipment used to access it, should always be locked whenever the room is unoccupied.

3.1.2 Positioning equipment

Computer systems used to access sensitive information should be installed where they are only accessible to authorized personnel. Display screens and printers should be positioned to avoid accidental disclosure.

3.1.3 Avoiding leaving systems 'logged in'

All users must take appropriate precautions to ensure that another user cannot gain unauthorized access using their equipment. In particular, equipment should not be left unattended unless it has a password protected screen saver or menu or it has been switched off or logged out.

3.2 Avoiding unauthorized disclosure of information

3.2.1 Authorization to access information

Access to information must be authorized by an appropriate member of a Department, College, or institute. In particular, full authorization is required before information may be passed to another user or external body, for example for secondary uses.

It is good practice for all use of administrative information in reports or published materials to include reference to the source of data and the date it was extracted.

3.2.2 Disposal of equipment, media, and paper records

All equipment or media for disposal must be appropriately decommissioned. In particular, sensitive data and software covered by non-transferrable licences must be completely erased from the disk, for example by using appropriate low-level reformatting.

All sensitive and confidential paper records must be shredded prior to disposal.

3.2.3 Use outside University premises

University-owned equipment, data, or software must not be removed from site without formal management authorization.

If equipment (regardless of ownership) is used outside University premises to process sensitive information it must be subject to the same precautions as equipment used on the premises.

Equipment or media carrying sensitive information must never be left unattended in public places. It is strongly recommended that, if feasible, information is carried on media separate from the computer when in transit (e.g. on floppy disks) since they are easier to supervise. It is recommended that portable computers are carried as hand-baggage.

3.3 Approved information security classification

In order to avoid ambiguous treatment and marking of secure or sensitive information, the University recognizes the four classes of information defined below. For clarity all documents should be labelled appropriately. It is expected that the majority of internal office 'paperwork', such as memos or documents for internal circulation, will be classification level 1 (Cambridge Only).

3.3.1 Level 0: Unclassified or public information

Unclassified or public information is the largest class containing the majority of information.

(i) although documents in this class require no special marking, they should preferably be labelled 'Unclassified' or 'For public information'
(ii) documents require no special security measures and are available to all who wish to access the information (including world wide access)
(iii) electronic documents may be transmitted freely over the network and on national and international networks (e.g. using electronic mail or Web services)

3.3.2 Level 1: Cambridge Only

This covers information that is only available to students and staff within the Cambridge domain. It includes memoranda, minutes of meetings (not otherwise marked), and site-licensed software.

(i) documents should be clearly marked 'Cambridge Only' and may be circulated openly within the University. Copies must not be passed to a recipient external to the University without prior authority from the University
(ii) electronic documents on information servers on the University Data Network must have appropriate access restrictions (e.g. limited to the domain cam.ac.uk)
(iii) electronic documents may be transmitted freely over the University Data Network (academic and administrative sub-networks) using, for example, electronic mail but not over links to external networks or hosts without prior authority from the University

3.3.3 Level 2: Confidential information

This covers certain meeting minutes, general personal information, financial information, or other information designated as confidential but that may be dealt with by any staff with delegated responsibility from the recipient (i.e. it is not, in a strict sense, information 'for your eyes only').

(i) documents should be marked 'Confidential'; hard copy (paper) documents must enclosed in sealed envelopes also marked 'Confidential'
(ii) envelopes should only be opened by the designated recipient(s) or staff with appropriate delegated authority (e.g. confidential secretary or designated staff during absence)
(iii) hard copy documents will normally be kept securely (e.g. in a locked filing cabinet)
(iv) electronic documents should be properly protected against access by others (e.g. they should be accessible only from the owner's password-protected account)
(v) documents may be freely copied for personal use by recipients or staff with appropriate delegated authority. Copies may not be passed to anyone else
(vi) electronic documents in this category will not normally appear on information servers (World-Wide Web) without appropriate access controls (e.g. password-protected)

3.3.4 Level 3: Personal and strictly confidential information

This covers documents that contain highly sensitive information or personal details that are for the eyes of the recipient only, that is where delegated authority is not appropriate.

(i) documents should be marked 'Personal and Strictly Confidential'. Hard copy (paper) documents must be enclosed in sealed envelopes also marked 'Personal and Strictly Confidential'
(ii) envelopes may only be opened by the designated recipient(s)
(iii) electronic documents should be properly protected against access by others (e.g. they should be accessible only from the owner's password-protected account and/or encrypted)
(iv) documents may not be copied and are not to be passed to a third party without prior authority from the sender and recipient
(v) electronic documents in this category may only be transmitted (e.g. using electronic mail or file transfer) over the administrative or academic network if strong encryption is used

4. Related documents

Data Protection Act 1998:


Human Rights Act 1998:


Regulation of Investigatory Powers Act 2000:


The JANET Acceptable Use Policy:


Rules made by the IT Syndicate of the University of Cambridge:


Use and Misuse of Computers Guidelines:


The CUDN Acceptable Use Policy:


Security of Computers on the CUDN:


Guidelines for World Wide Web Information Providers in the University of Cambridge:


Health and Safety Regulations:


Personnel Division Guidelines on the Acceptable use of Computer Facilities, E-Mail, and the Internet:


Joint Report of the Council and the General Board on guidelines for the acceptable use of computers:


Safety and Security in the working environment:


Data Protection pages:


< Previous page ^ Table of Contents Next page >

Cambridge University Reporter, 7 August 2002
Copyright © 2002 The Chancellor, Masters and Scholars of the University of Cambridge.