Information Security Standards Role Responsibilities

1. Information Classification
   • Understand and apply data classification labels.
2. Data Protection
   • Refer to DPO publications.
3. Data Stewardship
   • Data users must respect the confidentiality of the data and only use it for the intended purposes.
   • Data users must report any suspected loss, unauthorized access or integrity issues to the Data Steward.
4. Access Management
   • Account users must keep their passwords, passphrases and passcodes (or similar) secret and not share, post or otherwise give them away in any manner.
   • Account users must ensure that passwords, passphrases, passcodes (numeric) or similar are of sufficient complexity and secrecy that it would be impractical for an attacker to guess or discover the correct secret value.
   • Users are denied local administrator accounts by default. Users must go through the appropriate process if they require an exception to this.
5. Operational Security
   • Users who are involved in the development of new or existing University systems, i.e. users, developers, administrators, are required to adhere to the requirements within this Standard.
6. Asset Management
   • Assist in risk assessments around the handling of data and whether additional encryption is required.
   • Ensure any storage media that they have used for University purposes is properly sanitised
7. Secure Configuration
   • Applies only to users involved in the development of University systems
8. Security Assessment and Testing
   • Applies only to users involved in the development of University systems
9. Physical Security
   • All users must adhere to the authentication mechanisms of secured areas
   • Where a user’s equipment or asset is left unattended, the user must ensure that:
     • A screen lock is activated (which requires a password to gain access to the session again).
     • Terminate active sessions when no longer required.
     • The equipment, where appropriate, is protected through a locking mechanism (e.g. laptop Kensington lock).
   • Where sensitive information resides on media, e.g. paper, removable storage, it should be securely stored (e.g. locked in a cabinet) when not required. This is especially the case outside of working hours.
   • No information in relation to credentials which access University systems, must be left on, near or in the vicinity of equipment or assets e.g. a post-it on a monitor.
10. Incident Management
    • Users are responsible for reporting potential security incidents and/or suspicious activity.
11. Third Party
    • N/A
12. Cloud
    • N/A
13. Mobile Device
    • Users must always use the device in an appropriate manner and adhere to this Standard and the University’s Computing Regulations
    • When using a mobile or removable media device, users must never provide access to, or share the device containing the University’s information with any unauthorised party
    • Mobile devices operating system software must be kept up to date. All security patches must be installed in adherence with the Secure Configuration Standard.
    • Smart devices must never be ‘rooted’ or ‘jailbroken’ or otherwise have manufacturer security settings and controls tampered with, changed or removed. Furthermore, they must not have unsigned applications that are not available from an official application stores.
    • Mobile devices must be password protected using the standard in-built security features of the device (such as a passcode, password or PIN) and additionally a strong password will be enforced prior to accessing the University network or resources, as detailed in the Access Management Standard.
    • Mobile devices shall not access or process University data unless a secure end-to-end connection has been established with the University system(s). All data will be transferred using a secure Virtual Private Network (VPN) or inbuilt equivalent alternatives such as UoE_DirectAccess to protect University data from unknown or untrusted wireless networks.
    • If travel to any ‘high risk countries’ as defined by the UK Government is required, the following additional precautions shall be considered:
      • Limiting the amount of physical data stored on the device
      • The use of a temporary device
      • The use of encrypted messaging facilities in replacement of standard telephone calls
      • Removal of VPN access.
    • All mobile devices or removable media devices used in a business capacity that are lost or stolen must be immediately reported to the Helpline in line with the Information Security Incident Management Procedure.
14. BYOD
    • Accounts and passwords
      • Set and use a passcode (eg pin or password) to restrict access to the device. The chosen passcode or password must be in-line with the Access Management Standard. The passcode must not be shared with anyone else.
      • Fingerprint and facial recognition may be used in place of passcode where supported
      • Set the device to lock automatically when it has been inactive for no more than 10 minutes.
      • If you need to share the device with anyone else, set up unique user accounts with different passwords for each user.
    • Endpoint security
      • Install, configure and maintain up to date anti-virus malware software.
      • Block popup window within browsers.
      • Avoid storing ‘sensitive’ data such as passwords within web browsers.
      • Dedicated password managers requiring a login can be used.
      • Encrypt the device, as required by the Asset Management Standard and the Computing Regulations.
    • Software
      • Minimise software on the device to only what is required
      • Ensure web browsers are configured securely and do not install plug-ins that are not required.
      • Operating systems and application software must be kept up-to-date. Where technically feasible, automatic updates must be enabled.
      • If the device is second hand, it must be restored to factory settings before using it forUniversity purposes.
      • Only download applications (‘apps’) or other software from reputable sources such as known managed storefronts or from well established, known companies.
    • Networking
      • Enable a local (or a personal) firewall where possible.
      • Disable unnecessary networking features. This can include, for example, file and printer sharing services like SMB, or Near Field Communication (NFC).
      • Limit the use of remote access utilities to the device. For example, Remote Desktop Protocol (RDP) must require authentication (username and password) and only be available during the time it is required (time limited).
      • Control your device’s connections by disabling automatic connection to open, unsecured Wi-Fi networks and make risk-conscious decisions before connecting to any new access point.
      • Use the University VPN service when accessing University systems
    • General security
      • Take appropriate physical security measures. Do not leave devices unattended.
      • Do not download University data to store locally unless necessary and then only if the device is encrypted.
      • Where possible, do not use home printing.
      • Backups of University documents should be held on University supported services.
      • Keep master copies of work documents on a University managed storage service.
      • Only authorised University of Edinburgh users are permitted to access University systems or information assets. The device must not be shared with anyone else when accessing University systems or information assets.
      • Organise and regularly review the information assets on the device. Delete any data that is no longer needed.
      • When the device is no longer needed to access University services or data, the requirements of the University HR Policy and Asset Management Standard must be met. This includes securely deleting all University information and data from the device and confirming this has been done with line management.
      • Any suspected data breaches must be reported in line with University Incident Management Procedures.
      • Whenever available, approved remote access facilities must be used to access information on University systems.
      • Log out and disconnect at the end of each session.
    • Mobile Devices
      • Mobile phones should be kept fully up to date with all available patches and fixes for all software – not just critical operating system security fixes.
      • A PIN code or other secured means of accessing the device should be configured.
      • Review app permissions to ensure that only necessary apps are able to:
        • Share data
        • Request access to other data
      • An anti-virus solution should be in place.
        • Configure the device to enable it to be remote-wiped should it become lost.
        • Devices that have been ‘jail broken or ‘rooted’ must not be used to access University services or data
    • Users must obtain approval from their Line Manager/locally nominated person to use a BYOD. The only exception to this is the use of a personal mobile device to facilitate multi factor authentication when accessing University services
    • When a user changes roles, the user must agree with their new Line Manager/locally nominated person that they are still eligible to use a BYOD to access the University's systems and software within their new role
    • If a user decides to no longer use their personal device for University purposes, they are leaving the University, or they are no longer eligible to use a BYOD, they must ensure all University information stored on the device is erased and any licensed software that was licensed for use under the “users” affiliation with the University removed.
      • All devices used in a University capacity that are lost or stolen must be reported to the employee’s line manager as soon as practicable and any potential impacts to information security or personal data reported accordingly.
      • Users are responsible for notifying their mobile phone provider and/or police in the event of loss or theft of a personal device used in a BYOD capacity.

1. Information Classification
   • Understand and apply data classification labels.
   • Ensure that users are able to comply with the requirements of the standard
2. Data Protection
   • Refer to DPO publications
3. Data Stewardship
4. Access Management
   • The identity of anyone seeking access to the University of Edinburgh information assets or technology must be validated prior to providing access via a digital account. The individual’s line manager is responsible for validating staff identity (as required in the HR Security Standard) when they start working for the University.
   • Account users must keep their passwords, passphrases and passcodes (or similar) secret and not share, post or otherwise give them away in any manner.
   • Account users must ensure that passwords, passphrases, passcodes (numeric) or similar are of sufficient complexity and secrecy that it would be impractical for an attacker to guess or discover the correct secret value.
   • Users are denied local administrator accounts by default. Users must go through the appropriate process if they require an exception to this.
5. Operational Security
6. Asset Management
7. Secure Configuration
8. Security Assessment and Testing
9. Physical Security
   • Line managers should do everything they can to ensure the actions are completed within the Standard, so that their users are able to adhere to the standards. All users and line managers must adhere to the authentication mechanisms of secured areas
   • Where a user’s equipment or asset is left unattended, the user must ensure that:
     • A screen lock is activated (which requires a password to gain access to the session again).
     • Terminate active sessions when no longer required.
     • The equipment, where appropriate, is protected through a locking mechanism (e.g. laptop Kensington lock).
10. Incident Management
11. Third Party
12. Cloud
13. Mobile Device
14. BYOD
    • Approve/deny user requests for BYOD based on user need and risk. Keep records of those that participate in BYOD and for what reason.
    • For personal use:
      • Set and use a passcode (eg pin or password) to restrict access to the device. The chosen passcode or password must be in-line with the Access Management Standard. The passcode must not be shared with anyone else.
      • Fingerprint and facial recognition may be used in place of passcode where supported
      • Set the device to lock automatically when it has been inactive for no more than 10 minutes.
      • If you need to share the device with anyone else, set up unique user accounts with different passwords for each user.

1. Information Classification
   • Service managers must understand and categorise the information handled by their services appropriately.
   • Service manager must ensure suitable security controls are put in place for the categories of information their services handle.
2. Data Protection
   • Refer to DPO publications
3. Data Stewardship
   • Service Owners and Data Stewards for those downstream systems must follow the published procedures for requesting access to data.
   • Service Owners and Data Stewards of downstream systems must report any suspected loss, unauthorized access or integrity issues to the Data Steward.
   • They must enforce any controls needed to protect the confidentiality, integrity and availability of the data and only provide access to data users who have a defined business need and are appropriately authorized.
   • They are responsible for ensuring that they understand how the data is structured and what information the data conveys.
   • They may also have responsibility for maintaining certain data up to date in the golden copy data set.
4. Access Management
   • Privileged permission identities should be identified so they can be distinguished from non-privileged permissions. For instance, ‘_adm’ can be appended to admin/privileged user accounts, e.g. ‘johnsmith_adm’ (for their administrator account) versus ‘johnsmith’ (for their normal account).
   • Account users must keep their passwords, passphrases and passcodes (or similar) secret and not share, post or otherwise give them away in any manner.
   • Account users must ensure that passwords, passphrases, passcodes (numeric) or similar are of sufficient complexity and secrecy that it would be impractical for an attacker to guess or discover the correct secret value.
   • Users are denied local administrator accounts by default. Users must go through the appropriate process if they require an exception to this.
5. Operational Security
   • The relevant service managers/owners in the Colleges/Support Groups are required to implement the appropriate measures to adhere to the security requirements within this Standard.
6. Asset Management
7. Secure Configuration
8. Security Assessment and Testing
9. Physical Security
   • Relevant service managers/owners must implement the required and appropriate measures to ensure all users adhere to the Standard.
   • Where a user’s equipment or asset is left unattended, the user must ensure that:
     • A screen lock is activated (which requires a password to gain access to the session again).
     • Terminate active sessions when no longer required.
     • The equipment, where appropriate, is protected through a locking mechanism (e.g. laptop Kensington lock).
10. Incident Management
11. Third Party
    • The relevant service managers/owners in the Colleges/Support Groups are required to implement the appropriate measures to adhere to the security requirements within the Standard when engaging with third parties.
12. Cloud
    • Each cloud service will have a Service Owner assigned. The service owner must coordinate the deployment, operation and decommissioning of the service.
13. Mobile Device
14. BYOD

1. Information Classification
   • Heads of College and Professional Support Groups are accountable for ensuring that data is appropriately categorised and secured.
2. Data Protection
   • Refer to DPO publications
3. Data Stewardship
4. Access Management
   • Account users must keep their passwords, passphrases and passcodes (or similar) secret and not share, post or otherwise give them away in any manner.
   • Account users must ensure that passwords, passphrases, passcodes (numeric) or similar are of sufficient complexity and secrecy that it would be impractical for an attacker to guess or discover the correct secret value.
   • Users are denied local administrator accounts by default. Users must go through the appropriate process if they require an exception to this.
5. Operational Security
   • The Heads of Colleges and Support Groups are responsible for ensuring that this Standard is followed by service mangers/owners, users and that the requirements of this standard are built into all technology platforms and services.
6. Asset Management
7. Secure Configuration
8. Security Assessment and Testing
9. Physical Security
   • The Heads of Colleges and Support Groups are responsible for ensuring that this Standard is followed by service mangers/owners, users and that the requirements of this standard are built into all technology platforms and services. They should then adhere to the Standard themselves.
   • Where a user’s equipment or asset is left unattended, the user must ensure that:
     • A screen lock is activated (which requires a password to gain access to the session again).
     • Terminate active sessions when no longer required.
     • The equipment, where appropriate, is protected through a locking mechanism (e.g. laptop Kensington lock).
10. Incident Management
11. Third Party
    • The Heads of Colleges and Support Groups are responsible for ensuring that this Standard is followed by service mangers/owners, users and that the requirements of the standard are built into all third party engagements.
12. Cloud
    • The Heads of Colleges and Support Groups are responsible for ensuring that this Standard is followed by service mangers/owners, users and that the requirements of this standard are built into all technology platforms and services.
13. Mobile Device
14. BYOD
    • Ensure that all users within the business unit or College are adhering to the BYOD standard. For personal use:
      • Set and use a passcode (eg pin or password) to restrict access to the device. The chosen passcode or password must be in-line with the Access Management Standard. The passcode must not be shared with anyone else.
      • Fingerprint and facial recognition may be used in place of passcode where supported
      • Set the device to lock automatically when it has been inactive for no more than 10 minutes.
      • If you need to share the device with anyone else, set up unique user accounts with different passwords for each user.

1. Information Classification
   • The Data Steward must understand and apply data classification labels appropriately.
2. Data Protection
   • Refer to DPO publications
3. Data Stewardship
   • The Data Steward must satisfy themselves that adequate security measures are in place for the data.
   • Data must be protected from unauthorized use, alteration or disclosure. Sharing of information and the release of information must be balanced against the need to restrict the availability of classified, proprietary, personal, and other sensitive information.
   • The Data Steward must classify data items into the levels of confidentiality described in the Information Classification Standard
   • The Data Steward must report suspected loss, unauthorized access, or exposure of the data from their data set, and work with the system providers to rectify such problems that arise.
   • The Data Steward must approve the release of their data, before anyone else may use it, to any third party.
   • The Data Steward must maintain a record of other systems that have access to the data and what the data is being used for.
   • For restricted and confidential data, the Data Steward must regularly, and at least annually, review the list of staff and systems who have access to the data and ensure that the continued use remains justified and proportionate.
   • The Data Steward is responsible for ensuring the data under their stewardship is adequately documented.
   • The Data Steward must define acceptable levels of quality to ensure that the data under their stewardship is accurate, consistent and up to date. They are also responsible for ensuring that effective and sustainable processes exist to ensure that the data meets these levels of acceptance.
   • If an existing service procures a new system, the Data stewards of the data sets affected are responsible for satisfying themselves that the security, access, documentation, and quality aspects of those data sets have been addressed during the procurement process. When a new service is created, the procurement project must identify a Data Steward as part of the procurement process.
4. Access Management
   • Account users must keep their passwords, passphrases and passcodes (or similar) secret and not share, post or otherwise give them away in any manner.
   • Account users must ensure that passwords, passphrases, passcodes (numeric) or similar are of sufficient complexity and secrecy that it would be impractical for an attacker to guess or discover the correct secret value.
   • Users are denied local administrator accounts by default. Users must go through the appropriate process if they require an exception to this.
5. Operational Security
6. Asset Management
7. Secure Configuration
8. Security Assessment and Testing
9. Physical Security
   • All users must adhere to the authentication mechanisms of secured areas.
   • Where a user’s equipment or asset is left unattended, the user must ensure that:
     • A screen lock is activated (which requires a password to gain access to the session again).
     • Terminate active sessions when no longer required.
     • The equipment, where appropriate, is protected through a locking mechanism (e.g. laptop Kensington lock).
10. Incident Management
11. Third Party
12. Cloud
    • N/A
13. Mobile Device
14. BYOD
    • Data Stewards must report any loss or compromise of data known to them through BYOD.
    • For personal use:
      • Set and use a passcode (eg pin or password) to restrict access to the device. The chosen passcode or password must be in-line with the Access Management Standard. The passcode must not be shared with anyone else.
      • Fingerprint and facial recognition may be used in place of passcode where supported
      • Set the device to lock automatically when it has been inactive for no more than 10 minutes.
      • If you need to share the device with anyone else, set up unique user accounts with different passwords for each user.

Further details on the Data Steward role can be found on the ISG Enterprise Architecture pages.